{"id":1921,"date":"2024-03-29T03:31:31","date_gmt":"2024-03-28T18:31:31","guid":{"rendered":"https:\/\/h4ck.kr\/?p=1921"},"modified":"2024-05-20T13:21:24","modified_gmt":"2024-05-20T04:21:24","slug":"pepassword","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=1921","title":{"rendered":"PEPassword"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">2\uac1c\uc758 exe \ud30c\uc77c\ub4e4\uc774 \uc8fc\uc5b4\uc9c4\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud558\ub098\ub294 Original.exe, \ub2e4\ub978 \ud558\ub098\ub294 Packed.exe.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Original.exe<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"257\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-135.png\" alt=\"\" class=\"wp-image-1922\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-135.png 542w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-135-300x142.png 300w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\ud328\ud0b9\ub418\uc5b4\uc788\uc9c0 \uc54a\uc740 \ubc14\uc774\ub108\ub9ac\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Decompiled-src<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>WinMain<\/strong><\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)\n{\n  int v4; \/\/ eax\n  char v5; \/\/ cl\n  char v7[16]; \/\/ [esp+0h] [ebp-14Ch]\n  char v8[16]; \/\/ [esp+10h] [ebp-13Ch]\n  CHAR Text[32]; \/\/ [esp+20h] [ebp-12Ch] BYREF\n\n  strcpy(Text, \"Congratulation!\\r\\n\\r\\nPassword is \");\n  v7[0] = 0x2F;\n  v7[2] = 0x2F;\n  v4 = 0;\n  v8[0] = 0x10;\n  v8[1] = 0x20;\n  v8[2] = 0x30;\n  v8[3] = 0x40;\n  v8[4] = 0x50;\n  v8[5] = 0x60;\n  v8[6] = 0x70;\n  v8[7] = 0x80;\n  v8[8] = 0x90;\n  v8[9] = 0xA0;\n  v8[10] = 0xB0;\n  v8[11] = 0xC0;\n  v8[12] = 0xD0;\n  v7[1] = 0x1F;\n  v7[3] = 0x7F;\n  v7[4] = 0x6F;\n  v7[5] = 0x5F;\n  v7[6] = 0x4F;\n  v7[7] = 0xBF;\n  v7[8] = 0xAF;\n  v7[9] = 0x9F;\n  v7[10] = 0x8F;\n  v7[11] = 0xFF;\n  v7[12] = 0xD0;\n  do\n  {\n    v5 = v8[v4] ^ v7[v4];\n    v7[v4] = v5;\n    Text[v4++ + 31] = v5;\n  }\n  while ( v4 &lt; 13 );\n  MessageBoxA(0, Text, Caption, 0x40u);\n  return 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">XOR \ubcf5\ud638\ud654\ub41c Text\ub97c MessageBoxA \ud568\uc218\ub97c \ud1b5\ud574 \ud638\ucd9c\ud558\uace0 \uc788\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"314\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-136.png\" alt=\"\" class=\"wp-image-1923\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-136.png 683w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-136-300x138.png 300w\" sizes=\"auto, (max-width: 683px) 100vw, 683px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"75\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-137.png\" alt=\"\" class=\"wp-image-1924\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-137.png 515w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-137-300x44.png 300w\" sizes=\"auto, (max-width: 515px) 100vw, 515px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">0x4010D1\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uac78\uc5b4 \ud655\uc778\ud574\ubcf4\uba74 \uc2e4\uc81c\ub85c \ubcf5\ud638\ud654\ub41c \ubb38\uc790\uc5f4\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"237\" height=\"173\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-138.png\" alt=\"\" class=\"wp-image-1925\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\uadf8\uac8c \ub05d\uc774\ub2e4.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Packed.exe<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"257\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-139.png\" alt=\"\" class=\"wp-image-1927\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-139.png 542w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-139-300x142.png 300w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\ud328\ud0b9\ub41c \ubc14\uc774\ub108\ub9ac\uc774\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"206\" height=\"70\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-266.png\" alt=\"\" class=\"wp-image-2185\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\uadf8\ub7ec\uba74 \ube44\ubc00\ubc88\ud638\ub97c \uc785\ub825\ud558\ub77c\ub294 \ucc3d\uc774 \ub098\uc624\ub294\ub370, <code>ABCD<\/code> \ubb38\uc790\uc5f4\uc744 \ub123\uace0 \ubd84\uc11d\ud574\ubcf4\uc790.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"831\" height=\"390\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-265.png\" alt=\"\" class=\"wp-image-2184\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-265.png 831w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-265-300x141.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-265-768x360.png 768w\" sizes=\"auto, (max-width: 831px) 100vw, 831px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">sub_4091D8 \ud568\uc218\uc5d0 \uc758\ud574 \ubc18\ud658\ub41c eax \uac12\uc774 0x0E98F842A\uc778\uc9c0 \ud655\uc778\ud55c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sub_4091D8 \ud568\uc218\uc758 \uc791\ub3d9 \ubc29\uc2dd\uc744 \uc0b4\ud3b4\ubcf4\uba74, <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"931\" height=\"936\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-267.png\" alt=\"\" class=\"wp-image-2186\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-267.png 931w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-267-298x300.png 298w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-267-150x150.png 150w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-267-768x772.png 768w\" sizes=\"auto, (max-width: 931px) 100vw, 931px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import sys\n\ndef ROR(data, shift, size=32):\n    shift %= size\n    body = data >> shift\n    remains = (data &lt;&lt; (size - shift)) - (body &lt;&lt; size)\n    return (body + remains)\n\ndef ROL(data, shift, size=32):\n    shift %= size\n    remains = data >> (size - shift)\n    body = (data &lt;&lt; shift) - (remains &lt;&lt; size )\n    return (body + remains)\n\ndef ah_to_eax(eax, ah):\n    eax = hex(eax).replace('0x', '')\n    eax = eax.rjust(8, \"0\")\n    eax = \"0x\" + eax\n    eax = list(eax)\n    if(ah > 0xf):\n        eax[6] = hex(ah)[-2]\n    else:\n        eax[6] = \"0\"\n    eax[7] = hex(ah)[-1] \n    eax = ''.join(eax)\n\n    return int(eax, 16)\n\ndef al_to_eax(eax, al):\n    eax = hex(eax).replace('0x', '')\n    eax = eax.rjust(8, \"0\")\n    eax = \"0x\" + eax\n    eax = list(eax)\n    if(al > 0xf):\n        eax[8] = hex(al)[-2]\n    else:\n        eax[8] = \"0\"\n    eax[9] = hex(al)[-1] \n    eax = ''.join(eax)\n\n    return int(eax, 16)\n\ndef sub_4091D8(esi):\n    eax = 0 #004091D8 xor eax, eax\n    ah = 0\n    for i in range(len(esi)):\n        ah = ah ^ esi[i]    #004091E1: xor ah, [esi]; ah: 41(0x00 ^ 0x41), B9(0xFB ^ 0x42), 87(0xC4 ^ 0x43), B2(0xF6 ^ 0x44), 41(0x41 ^ 0x00)\n        eax = ah_to_eax(eax, ah)\n        for edx in range(0x10000, 0, -1): #control dx register\n            dl = (edx &amp; 0xffff) &amp; 0xff\n            al = eax &amp; 0xff\n            al = al ^ dl    #004091E3: xor al, dl\n            eax = al_to_eax(eax, al)\n            eax = (eax + 0x434F4445) &amp; 0xffffffff   #004091E5: add eax, 434F4445h\n            al = eax &amp; 0xff\n            cl = al #004091EA: mov cl, al\n            eax = ROR(eax, cl)  #004091EC: ror eax, cl\n            eax = eax ^ 0x55AA5A5A  #004091EE: xor eax, 55AA5A5Ah\n            ah = (eax &amp; 0xffff) >> 8\n    return eax\n        \ninput_esi = b\"ABCD\" + b\"\\x00\"\nval = sub_4091D8(input_esi)\nprint(f\"sub_4091D8 ret: {hex(val)}\")    #sub_4091D8 ret: 0xe4c86270<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">\uc704\uc640 \uac19\uc774 \ud328\uc2a4\uc6cc\ub4dc\ub97c &#8220;ABCD&#8221;\ub85c \uc785\ub825\ud588\uc744\ub54c<br>sub_4091D8 \ud568\uc218\uc5d0 \ub300\ud55c \uc5f0\uc0b0\uc744 \ud30c\uc774\uc36c3 \ucf54\ub4dc\ub85c \uad6c\ud604\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ubc18\ud658\ub41c eax \uac12\uc774 0x0E98F842A\ub418\uac8c\ub054 \uc5ed\uc0b0\uc744 \uad6c\ud604\ud558\uae30\uc5d0, <br>\uc989 password \uae38\uc774 \uc81c\ud55c\ub3c4 \uc5c6\uace0 \uac12\uc744 \uc54c\uc544\ub0b4\uae30\ub294 \uc5b4\ub835\uae30 \ub54c\ubb38\uc5d0 <br>\uc6b0\uc120\uc740 0x0040919C \uc8fc\uc18c \uc9c0\uc810\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uac78\uace0 <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1025\" height=\"163\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-268.png\" alt=\"\" class=\"wp-image-2187\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-268.png 1025w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-268-300x48.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-268-768x122.png 768w\" sizes=\"auto, (max-width: 1025px) 100vw, 1025px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">eax \uac12\uc744 0x0E98F842A\ub85c \uc218\uc815\ud558\uc5ec cmp \uac80\uc0ac\ub97c \ud1b5\uacfc\ud558\uc790.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"837\" height=\"272\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-270.png\" alt=\"\" class=\"wp-image-2189\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-270.png 837w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-270-300x97.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-270-768x250.png 768w\" sizes=\"auto, (max-width: 837px) 100vw, 837px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">sub_4091D8 \ud568\uc218\uc5d0\uc11c \uac80\uc0ac\ub97c \ud1b5\uacfc\ud558\uace0\ub098\uba74, 0x4090A8 \uc8fc\uc18c\ub85c \ubcf5\uadc0\ud55c\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"894\" height=\"200\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-269.png\" alt=\"\" class=\"wp-image-2188\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-269.png 894w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-269-300x67.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-269-768x172.png 768w\" sizes=\"auto, (max-width: 894px) 100vw, 894px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\uadf8\ub9ac\uace0 sub_409200 \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub294 \uac83\uc744 \ubcfc \uc218 \uc788\ub294\ub370,<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"833\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-271-1024x833.png\" alt=\"\" class=\"wp-image-2190\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-271-1024x833.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-271-300x244.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-271-768x625.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-271.png 1203w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">sub_4091DA \ud568\uc218\ub294 \uc774\uc804\uc5d0 \ubd24\ub2e4\uc2dc\ud53c xor eax, eax\ub97c \uc81c\uc678\ud558\uace0\ub294 <br>sub_4091D8 \ud568\uc218\uc758 \uc791\ub3d9\ubc29\uc2dd\uc774 \uac19\uc544 \uc5ed\uc0b0\uc774 \ubd88\uac00\ub2a5\ud558\uae30\uc5d0 \ub118\uc5b4\uac00\ub3c4\ub85d \ud558\uace0,<br>loc_40921F \ubd80\ud130 \uc790\uc138\ud788 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">0x401000 \uc8fc\uc18c\uc5d0\uc11c 4\ubc14\uc774\ud2b8\uc529 0x1000\ubc88 \ubc18\ubcf5\ud558\uc5ec opcode\ub97c \ubcf5\ud638\ud654\ud558\uace0 \uc788\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud2b9\ud788 0040921F xor [edi], eax\uc5d0\uc11c <br>\ucc98\uc74c\uc5d0 edi\ub294 0x401000 \uac12\uc744 \uac00\uc9c0\uace0 \uc788\uace0, 4\ubc14\uc774\ud2b8\uc529 \ubcf5\ud638\ud654\ud558\ub294 \uac83\uc744 \uc54c \uc218 \uc788\ub294\ub370,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Original.exe \ud30c\uc77c\uc758 0x401000 \uc8fc\uc18c\ubd80\ud130 4\ubc14\uc774\ud2b8\uc529 \ucc38\uace0\ud574\uc11c xor \uc5f0\uc0b0\uc744 \ud1b5\ud574 eax \uac12\uc744 \uad6c\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"548\" height=\"158\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-272.png\" alt=\"\" class=\"wp-image-2191\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-272.png 548w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-272-300x86.png 300w\" sizes=\"auto, (max-width: 548px) 100vw, 548px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Original.exe \ud30c\uc77c\uc758 <br>0x401000 \uc8fc\uc18c\uc5d0 \uc788\ub294 4\ubc14\uc774\ud2b8\uac12\uc740 0x014CEC81,<br>0x401004 \uc8fc\uc18c\uc5d0 \uc788\ub294 4\ubc14\uc774\ud2b8\uac12\uc740 0x57560000,<br>0x401008 \uc8fc\uc18c\uc5d0 \uc788\ub294 4\ubc14\uc774\ud2b8\uac12\uc740 0x000008B9\uc774\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"183\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-273.png\" alt=\"\" class=\"wp-image-2192\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-273.png 541w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-273-300x101.png 300w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Packed.exe \ud30c\uc77c\uc758<br>0x401000 \uc8fc\uc18c\uc5d0 \uc788\ub294 4\ubc14\uc774\ud2b8\uac12\uc740 0xB6E62E17,<br>0x401004 \uc8fc\uc18c\uc5d0 \uc788\ub294 4\ubc14\uc774\ud2b8\uac12\uc740 0x0D0C7E05,<br>0x401008 \uc8fc\uc18c\uc5d0 \uc788\ub294 4\ubc14\uc774\ud2b8\uac12\uc740 0x99C5159E\uc774\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"164\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-274-1024x164.png\" alt=\"\" class=\"wp-image-2193\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-274-1024x164.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-274-300x48.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-274-768x123.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-274.png 1086w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\ub530\ub77c\uc11c \uc704\uc640 \uac19\uc774 xor \uc5f0\uc0b0\uc744 \ub2e4\uc2dc\ud558\uba74, \ubcf5\ud638\ud654\ud558\ub294\ub370 \ud544\uc694\ud55c \uc62c\ubc14\ub978 eax\uac12\uc744 \uad6c\ud560 \uc218 \uc788\ub2e4.<br>edi\uac00 0x401000\uc77c\ub54c\ub294 eax\uac00 0xb7aac296\uc774\uc5ec\uc57c \ud55c\ub2e4.<br>edi\uac00 0x401004\uc77c\ub54c\ub294 eax\uac00 0x5a5a7e05\uc774\uc5ec\uc57c \ud55c\ub2e4.<br>edi\uac00 0x401008\uc77c\ub54c\ub294 eax\uac00 0x99c51d27\uc774\uc5ec\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ebx\uac12\uc73c\ub85c rol, xor, ror, add \uc5f0\uc0b0\uacfc \ud568\uaed8 \uc0c8\ub85c\uc6b4 eax\uac12\uc744 \ub9e4\ubc88 \ub9cc\ub4dc\ubbc0\ub85c, <br>\uc704 3\uac00\uc9c0\uc758 eax\uac12\uc744 \ucc38\uace0\ud574\uc11c ebx\uac12\uc744 \uad6c\ud560 \uac83\uc774\ub2e4.<br>ebx \uac12\uc740 4\ubc14\uc774\ud2b8 \ud06c\uae30\uc774\ubbc0\ub85c, 0x0~0xffffffff\uae4c\uc9c0 \ube0c\ub8e8\ud2b8\ud3ec\uc2f1\uc744 \ud1b5\ud574 \ucd94\uce21\ud574\uc11c \ub54c\ub824\ub9de\ucd94\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud30c\uc774\uc36c3 \ucf54\ub4dc\ub85c \uc791\uc131\ud558\uba74 \uad49\uc7a5\ud788 \uc624\ub798\uac78\ub9ac\uae30 \ub54c\ubb38\uc5d0 <br>C\uc5b8\uc5b4 \uc791\uc131\uc774 \uc694\uad6c\ub418\uc5c8\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdint.h>\n\nint32_t rotl32 (int32_t x \/*value*\/, unsigned int y \/*rotate*\/)\n{\n    __asm__ (\"roll %1, %0\" : \"+g\" (x) : \"cI\" ((unsigned char)y));\n    return x;\n}\n\nint32_t rotr32 (int32_t x \/*value*\/, unsigned int y \/*rotate*\/)\n{\n    __asm__ (\"rorl %1, %0\" : \"+g\" (x) : \"cI\" ((unsigned char)y));\n    return x;\n}\n\nint32_t eax_to_al(int32_t eax) {\n    return (eax &amp; 0xff);\n}\n\nint32_t ebx_to_bh(int32_t ebx) {\n    return ((ebx &amp; 0xffff) >> 8);\n}\n\nint main(void) {\n    for(int ebx = 0; ebx &lt; 0xffffffff; ebx++) {\n        int eax = 0xb7aac296;\n        int al = eax_to_al(eax);\n        int orig_ebx = ebx;\n        ebx = rotl32(ebx, al);\n        eax = eax ^ ebx;\n        int bh = ebx_to_bh(ebx);\n        eax = rotr32(eax, bh);\n\n        if(eax == 0x5a5a7e05) {\n            printf(\"orig_ebx candidate? 0x%x\\n\", orig_ebx);\n            ebx = (ebx + eax) &amp; 0xffffffff;\n            al = eax_to_al(eax);\n            ebx = rotl32(ebx, al);\n            eax = eax ^ ebx;\n            bh = ebx_to_bh(ebx);\n            eax = rotr32(eax, bh);\n            if(eax == 0x99c51d27)\n                printf(\"orig_ebx confirmed! 0x%x\\n\", orig_ebx);\n        }\n\n        ebx = orig_ebx;\n    }\n\n    return 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/Documents$ gcc -o solve_pepassword solve_pepassword.c  &amp;&amp; .\/solve_pepassword\norig_ebx candidate? 0xa1beee22\norig_ebx candidate? 0xc263a2cb\norig_ebx confirmed! 0xc263a2cb\nseo@seo:~\/Documents$<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">\uc57d 3\ubd84~5\ubd84 \uc815\ub3c4 \uac78\ub838\ub358 \uac83 \uac19\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\uc81c loc_40921F \ucd08\uae30\uc5d0 <br>ebx\uac12\uc740 0xc263a2cb, eax\uac12\uc740 0xb7aac296 \uac12\uc73c\ub85c \ubcc0\uacbd\ud574\uc8fc\uba74 \ubcf5\ud638\ud654\uac00 \uc81c\ub300\ub85c \uc9c4\ud589\ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"572\" height=\"241\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-275.png\" alt=\"\" class=\"wp-image-2194\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-275.png 572w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-275-300x126.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">0040921F \uc9c0\uc810\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uac78\uace0, \uac78\ub838\uc744\ub54c ebx, eax \uac12\uc744 \ubcc0\uacbd\ud574\uc8fc\uc790. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ubcf5\ud638\ud654 \uc9c4\ud589\uc774 \ub05d\ub098\uace0 \uc2a4\ud15d\uc744 \ud558\ub098\uc529 \ubc1f\ub2e4\ubcf4\uba74,<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"673\" height=\"52\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-276.png\" alt=\"\" class=\"wp-image-2195\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-276.png 673w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-276-300x23.png 300w\" sizes=\"auto, (max-width: 673px) 100vw, 673px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">OEP\ub294 0x409151\uc73c\ub85c, 0x004010F0 \uc8fc\uc18c\ub85c \uc810\ud504\ud55c\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">sub_4010F0<\/h3>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __usercall sub_4010F0@&lt;eax>(int a1@&lt;ebx>, int a2@&lt;edi>, int a3@&lt;esi>)\n{\n  unsigned int v3; \/\/ eax\n  int v4; \/\/ eax\n  int v5; \/\/ eax\n  int v7; \/\/ [esp-18h] [ebp-80h]\n  int v8; \/\/ [esp-14h] [ebp-7Ch]\n  int v9; \/\/ [esp-Ch] [ebp-74h] BYREF\n  int v10; \/\/ [esp+4h] [ebp-64h]\n  int v11; \/\/ [esp+8h] [ebp-60h]\n  char v12[44]; \/\/ [esp+Ch] [ebp-5Ch] BYREF\n  int v13; \/\/ [esp+38h] [ebp-30h]\n  unsigned __int16 v14; \/\/ [esp+3Ch] [ebp-2Ch]\n  int *v15; \/\/ [esp+50h] [ebp-18h]\n  _DWORD **v16; \/\/ [esp+54h] [ebp-14h]\n  struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; \/\/ [esp+58h] [ebp-10h]\n  int v18; \/\/ [esp+5Ch] [ebp-Ch]\n  void *v19; \/\/ [esp+60h] [ebp-8h]\n  int v20; \/\/ [esp+64h] [ebp-4h]\n\n  v20 = -1;\n  v19 = &amp;unk_4050A8;\n  v18 = 4201916;\n  ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;\n  v15 = &amp;v9;\n  v3 = off_405014(a2, a3, a1);\n  dword_408508 = BYTE1(v3);\n  dword_408504 = (unsigned __int8)v3;\n  dword_408500 = BYTE1(v3) + ((unsigned __int8)v3 &lt;&lt; 8);\n  dword_4084FC = HIWORD(v3);\n  if ( !sub_401C65(0) )\n    sub_40120B(28);\n  v20 = 0;\n  sub_401945();\n  dword_4089F8 = off_405010();\n  dword_4084E4 = sub_401813();\n  sub_4015C6();\n  sub_40150D();\n  sub_40122F();\n  v13 = 0;\n  off_40500C(v12);\n  v10 = sub_4014B5();\n  if ( (v13 &amp; 1) != 0 )\n    v4 = v14;\n  else\n    v4 = 10;\n  v8 = v4;\n  v7 = v10;\n  v5 = off_405008(0);\n  v11 = sub_401000(v5, 0, v7, v8);\n  sub_40125C(v11);\n  return sub_401331(**v16, v16);\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">main \ud568\uc218\ub85c \ucd94\uce21\ub418\ub294 sub_0x401000\ub97c \ud638\ucd9c\ud558\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">sub_401000<\/h3>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __stdcall sub_401000(int a1, int a2, int a3, int a4)\n{\n  int v4; \/\/ eax\n  char v5; \/\/ cl\n  char v7[16]; \/\/ [esp+0h] [ebp-14Ch] BYREF\n  char v8[16]; \/\/ [esp+10h] [ebp-13Ch]\n  char v9[32]; \/\/ [esp+20h] [ebp-12Ch] BYREF\n\n  strcpy(v9, \"Congratulation!\\r\\n\\r\\nPassword is \");\n  qmemcpy(v7, \"VR_-\", 4);\n  v4 = 0;\n  v8[0] = 16;\n  v8[1] = 32;\n  v8[2] = 48;\n  v8[3] = 64;\n  v8[4] = 80;\n  v8[5] = 96;\n  v8[6] = 112;\n  v8[7] = 0x80;\n  v8[8] = -112;\n  v8[9] = -96;\n  v8[10] = -80;\n  v8[11] = -64;\n  v8[12] = -48;\n  v7[4] = 15;\n  v7[5] = 39;\n  v7[6] = 56;\n  v7[7] = -52;\n  v7[8] = -94;\n  v7[9] = -1;\n  v7[10] = -111;\n  v7[11] = -31;\n  v7[12] = -48;\n  do\n  {\n    v5 = v8[v4] ^ v7[v4];\n    v7[v4] = v5;\n    v9[v4++ + 31] = v5;\n  }\n  while ( v4 &lt; 13 );\n  off_40509C(0, v9, &amp;unk_4084E0, 64);\n  return 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">\uc81c\ub300\ub85c \ubcf5\ud638\ud654\ub41c \uac83\uc73c\ub85c \ubcf4\uc778\ub2e4!<br>\uc800 off_40590C\ub294 user32_MessageBoxA \ud568\uc218\ub85c,<br>Congratulation! \ubb38\uad6c\uc640 \ud568\uaed8 \ud328\uc2a4\uc6cc\ub4dc\ub97c \uba54\uc2dc\uc9c0\ucc3d \ub744\uc6b8 \uac83\uc774\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"555\" height=\"52\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-277.png\" alt=\"\" class=\"wp-image-2196\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-277.png 555w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-277-300x28.png 300w\" sizes=\"auto, (max-width: 555px) 100vw, 555px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"234\" height=\"132\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-278.png\" alt=\"\" class=\"wp-image-2197\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">FLAG<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>From_GHL2_!!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>2\uac1c\uc758 exe \ud30c\uc77c\ub4e4\uc774 \uc8fc\uc5b4\uc9c4\ub2e4. \ud558\ub098\ub294 Original.exe, \ub2e4\ub978 \ud558\ub098\ub294 Packed.exe. Original.exe \ud328\ud0b9\ub418\uc5b4\uc788\uc9c0 \uc54a\uc740 \ubc14\uc774\ub108\ub9ac\ub2e4. Decompiled-src WinMain XOR \ubcf5\ud638\ud654\ub41c Text\ub97c MessageBoxA \ud568\uc218\ub97c \ud1b5\ud574 \ud638\ucd9c\ud558\uace0 \uc788\ub2e4. 0x4010D1\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uac78\uc5b4 \ud655\uc778\ud574\ubcf4\uba74 \uc2e4\uc81c\ub85c \ubcf5\ud638\ud654\ub41c \ubb38\uc790\uc5f4\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4. \uadf8\uac8c \ub05d\uc774\ub2e4. Packed.exe \ud328\ud0b9\ub41c \ubc14\uc774\ub108\ub9ac\uc774\ub2e4. \uadf8\ub7ec\uba74 \ube44\ubc00\ubc88\ud638\ub97c \uc785\ub825\ud558\ub77c\ub294 \ucc3d\uc774 \ub098\uc624\ub294\ub370, ABCD \ubb38\uc790\uc5f4\uc744 \ub123\uace0 \ubd84\uc11d\ud574\ubcf4\uc790. Analysis sub_4091D8 \ud568\uc218\uc5d0 \uc758\ud574 \ubc18\ud658\ub41c eax \uac12\uc774 0x0E98F842A\uc778\uc9c0&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=1921\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">PEPassword<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[24],"class_list":["post-1921","post","type-post","status-publish","format-standard","hentry","category-reversing-kr","tag-reversing"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1921"}],"version-history":[{"count":6,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1921\/revisions"}],"predecessor-version":[{"id":2199,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1921\/revisions\/2199"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}