{"id":2552,"date":"2024-05-24T01:35:36","date_gmt":"2024-05-23T16:35:36","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2552"},"modified":"2024-05-24T01:35:38","modified_gmt":"2024-05-23T16:35:38","slug":"leg","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2552","title":{"rendered":"leg"},"content":{"rendered":"\n

Description<\/h2>\n\n\n\n

Daddy told me I should study arm.
But I prefer to study my leg!<\/p>\n\n\n\n

Download : http:\/\/pwnable.kr\/bin\/leg.c
Download : http:\/\/pwnable.kr\/bin\/leg.asm<\/p>\n\n\n\n

ssh leg@pwnable.kr -p2222 (pw:guest)<\/p>\n\n\n\n

Source Code<\/h2>\n\n\n\n

leg.c<\/strong><\/p>\n\n\n\n

\n
#include <stdio.h>\n#include <fcntl.h>\nint key1(){\n\tasm(\"mov r3, pc\\n\");\n}\nint key2(){\n\tasm(\n\t\"push\t{r6}\\n\"\n\t\"add\tr6, pc, $1\\n\"\n\t\"bx\tr6\\n\"\n\t\".code   16\\n\"\n\t\"mov\tr3, pc\\n\"\n\t\"add\tr3, $0x4\\n\"\n\t\"push\t{r3}\\n\"\n\t\"pop\t{pc}\\n\"\n\t\".code\t32\\n\"\n\t\"pop\t{r6}\\n\"\n\t);\n}\nint key3(){\n\tasm(\"mov r3, lr\\n\");\n}\nint main(){\n\tint key=0;\n\tprintf(\"Daddy has very strong arm! : \");\n\tscanf(\"%d\", &key);\n\tif( (key1()+key2()+key3()) == key ){\n\t\tprintf(\"Congratz!\\n\");\n\t\tint fd = open(\"flag\", O_RDONLY);\n\t\tchar buf[100];\n\t\tint r = read(fd, buf, 100);\n\t\twrite(0, buf, r);\n\t}\n\telse{\n\t\tprintf(\"I have strong leg :P\\n\");\n\t}\n\treturn 0;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
\uc81c\ub300\ub85c \ubb38\uc81c\ub97c \uc774\ud574\ud558\uae30 \uc704\ud574 \uc704 \uc18c\uc2a4\ucf54\ub4dc\ub97c \uadf8\ub300\ub85c \ubcf5\ubd99\ud574\uc11c 
armv5teji \uc544\ud0a4\ud14d\ucc98\ub85c \uc815\uc801 \ud06c\ub85c\uc2a4 \ucef4\ud30c\uc77c\uc744 \ud55c \ub2e4\uc74c, 
qemu\ub85c \uc2e4\ud589\uc2dc\ud0a4\uace0 \ub514\ubc84\uac70\ub97c \ud1b5\ud574 \uc9c1\uc811 \ubd84\uc11d\ud574\ubcf4\ub824\uace0 \ud55c\ub2e4.<\/p>\n\n\n\n
\n
seo@raspberrypi:~\/Desktop $ arm-linux-gnueabi-gcc -march=armv5tej -static -o leg leg.c\nleg.c: In function \u2018main\u2019:\nleg.c:31:11: warning: implicit declaration of function \u2018read\u2019; did you mean \u2018fread\u2019? [-Wimplicit-function-declaration]\n   31 |   int r = read(fd, buf, 100);\n      |           ^~~~\n      |           fread\nleg.c:32:3: warning: implicit declaration of function \u2018write\u2019; did you mean \u2018fwrite\u2019? [-Wimplicit-function-declaration]\n   32 |   write(0, buf, r);\n      |   ^~~~~\n      |   fwrite\nseo@raspberrypi:~\/Desktop $ qemu-arm .\/leg\nDaddy has very strong arm! : asdf\nI have strong leg :P<\/pre>\n<\/div><\/div>\n\n\n\n
\uc2e4\ud589\uc774 \uc798\ub418\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
Disassembled Code<\/strong><\/h2>\n\n\n\n
\n
(gdb) disas main\nDump of assembler code for function main:\n   0x000105bc <+0>:\tpush\t{r4, r11, lr}\n   0x000105c0 <+4>:\tadd\tr11, sp, #8\n   0x000105c4 <+8>:\tsub\tsp, sp, #116\t; 0x74\n   0x000105c8 <+12>:\tmov\tr3, #0\n   0x000105cc <+16>:\tstr\tr3, [r11, #-24]\t; 0xffffffe8\n   0x000105d0 <+20>:\tldr\tr3, [pc, #196]\t; 0x1069c <main+224>\n   0x000105d4 <+24>:\tadd\tr3, pc, r3\n   0x000105d8 <+28>:\tmov\tr0, r3\n   0x000105dc <+32>:\tbl\t0x16d20 <printf>\n   0x000105e0 <+36>:\tsub\tr3, r11, #24\n   0x000105e4 <+40>:\tmov\tr1, r3\n   0x000105e8 <+44>:\tldr\tr3, [pc, #176]\t; 0x106a0 <main+228>\n   0x000105ec <+48>:\tadd\tr3, pc, r3\n   0x000105f0 <+52>:\tmov\tr0, r3\n   0x000105f4 <+56>:\tbl\t0x16dec <__isoc99_scanf>\n   0x000105f8 <+60>:\tbl\t0x10548 <key1>\n   0x000105fc <+64>:\tmov\tr4, r0\n   0x00010600 <+68>:\tbl\t0x10568 <key2>\n   0x00010604 <+72>:\tmov\tr3, r0\n   0x00010608 <+76>:\tadd\tr4, r4, r3\n   0x0001060c <+80>:\tbl\t0x1059c <key3>\n   0x00010610 <+84>:\tmov\tr3, r0\n   0x00010614 <+88>:\tadd\tr2, r4, r3\n   0x00010618 <+92>:\tldr\tr3, [r11, #-24]\t; 0xffffffe8\n   0x0001061c <+96>:\tcmp\tr2, r3\n   0x00010620 <+100>:\tbne\t0x1067c <main+192>\n   0x00010624 <+104>:\tldr\tr3, [pc, #120]\t; 0x106a4 <main+232>\n   0x00010628 <+108>:\tadd\tr3, pc, r3\n   0x0001062c <+112>:\tmov\tr0, r3\n   0x00010630 <+116>:\tbl\t0x2299c <puts>\n   0x00010634 <+120>:\tmov\tr1, #0\n   0x00010638 <+124>:\tldr\tr3, [pc, #104]\t; 0x106a8 <main+236>\n   0x0001063c <+128>:\tadd\tr3, pc, r3\n   0x00010640 <+132>:\tmov\tr0, r3\n   0x00010644 <+136>:\tbl\t0x34020 <open>\n   0x00010648 <+140>:\tstr\tr0, [r11, #-16]\n   0x0001064c <+144>:\tsub\tr3, r11, #124\t; 0x7c\n   0x00010650 <+148>:\tmov\tr2, #100\t; 0x64\n   0x00010654 <+152>:\tmov\tr1, r3\n   0x00010658 <+156>:\tldr\tr0, [r11, #-16]\n   0x0001065c <+160>:\tbl\t0x34144 <read>\n   0x00010660 <+164>:\tstr\tr0, [r11, #-20]\t; 0xffffffec\n   0x00010664 <+168>:\tsub\tr3, r11, #124\t; 0x7c\n   0x00010668 <+172>:\tldr\tr2, [r11, #-20]\t; 0xffffffec\n   0x0001066c <+176>:\tmov\tr1, r3\n   0x00010670 <+180>:\tmov\tr0, #0\n   0x00010674 <+184>:\tbl\t0x341f0 <write>\n   0x00010678 <+188>:\tb\t0x1068c <main+208>\n   0x0001067c <+192>:\tldr\tr3, [pc, #40]\t; 0x106ac <main+240>\n   0x00010680 <+196>:\tadd\tr3, pc, r3\n   0x00010684 <+200>:\tmov\tr0, r3\n   0x00010688 <+204>:\tbl\t0x2299c <puts>\n   0x0001068c <+208>:\tmov\tr3, #0\n   0x00010690 <+212>:\tmov\tr0, r3\n   0x00010694 <+216>:\tsub\tsp, r11, #8\n   0x00010698 <+220>:\tpop\t{r4, r11, pc}\n   0x0001069c <+224>:\tandeq\tpc, r5, r8, ror #5\n   0x000106a0 <+228>:\tstrdeq\tpc, [r5], -r0\n   0x000106a4 <+232>:\t\t\t; <UNDEFINED> instruction: 0x0005f2b8\n   0x000106a8 <+236>:\t\t\t; <UNDEFINED> instruction: 0x0005f2b0\n   0x000106ac <+240>:\tandeq\tpc, r5, r4, ror r2\t; <UNPREDICTABLE>\nEnd of assembler dump.\n(gdb) disas key1\nDump of assembler code for function key1:\n   0x00010548 <+0>:\tpush\t{r11}\t\t; (str r11, [sp, #-4]!)\n   0x0001054c <+4>:\tadd\tr11, sp, #0\n   0x00010550 <+8>:\tmov\tr3, pc\n   0x00010554 <+12>:\tnop\t\t\t; (mov r0, r0)\n   0x00010558 <+16>:\tmov\tr0, r3\n   0x0001055c <+20>:\tadd\tsp, r11, #0\n   0x00010560 <+24>:\tpop\t{r11}\t\t; (ldr r11, [sp], #4)\n   0x00010564 <+28>:\tbx\tlr\nEnd of assembler dump.\n(gdb) disas key2\nDump of assembler code for function key2:\n   0x00010568 <+0>:\tpush\t{r11}\t\t; (str r11, [sp, #-4]!)\n   0x0001056c <+4>:\tadd\tr11, sp, #0\n   0x00010570 <+8>:\tpush\t{r6}\t\t; (str r6, [sp, #-4]!)\n   0x00010574 <+12>:\tadd\tr6, pc, #1\n   0x00010578 <+16>:\tbx\tr6\n   0x0001057c <+20>:\tmov\tr3, pc\n   0x0001057e <+22>:\tadds\tr3, #4\n   0x00010580 <+24>:\tpush\t{r3}\n   0x00010582 <+26>:\tpop\t{pc}\n   0x00010584 <+28>:\tpop\t{r6}\t\t; (ldr r6, [sp], #4)\n   0x00010588 <+32>:\tnop\t\t\t; (mov r0, r0)\n   0x0001058c <+36>:\tmov\tr0, r3\n   0x00010590 <+40>:\tadd\tsp, r11, #0\n   0x00010594 <+44>:\tpop\t{r11}\t\t; (ldr r11, [sp], #4)\n   0x00010598 <+48>:\tbx\tlr\nEnd of assembler dump.\n(gdb) disas key3\nDump of assembler code for function key3:\n   0x0001059c <+0>:\tpush\t{r11}\t\t; (str r11, [sp, #-4]!)\n   0x000105a0 <+4>:\tadd\tr11, sp, #0\n   0x000105a4 <+8>:\tmov\tr3, lr\n   0x000105a8 <+12>:\tnop\t\t\t; (mov r0, r0)\n   0x000105ac <+16>:\tmov\tr0, r3\n   0x000105b0 <+20>:\tadd\tsp, r11, #0\n   0x000105b4 <+24>:\tpop\t{r11}\t\t; (ldr r11, [sp], #4)\n   0x000105b8 <+28>:\tbx\tlr\nEnd of assembler dump.<\/pre>\n<\/div><\/div>\n\n\n\n
http:\/\/pwnable.kr\/bin\/leg.asm<\/a>
\ubb38\uc81c \uc11c\ubc84\uc5d0 \uc788\ub294 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\ub791 \uc0b4\uc9dd \ub2e4\ub974\uc9c0\ub9cc, \ubb50.. \ud06c\uac8c \ub2e4\ub97c\uac74 \uc5c6\ub2e4!
\ub514\ubc84\uac70\ub97c attach\ud574\uc11c \ud558\ub098\uc529 \ubd84\uc11d\ud574\ubcf4\uc790<\/p>\n\n\n\n
\ud504\ub864\ub85c\uadf8 \ubd84\uc11d<\/h2>\n\n\n\n
\n
0x000105bc <+0>:\tpush\t{r4, r11, lr}<\/pre>\n<\/div><\/div>\n\n\n\n
\n
(gdb) info reg r4 r11 sp lr pc\nr4             0x10d5c             68956\nr11            0x0                 0\nsp             0x40800298          0x40800298\nlr             0x10908             67848\npc             0x105bc             0x105bc <main>\n(gdb) x\/3wx 0x4080028c\n0x4080028c:\t0x00000000\t0x00010d5c\t0x000108cc\n\n(gdb) stepi\n0x000105c0 in main ()\n\n(gdb) info reg r4 r11 sp lr pc\nr4             0x10d5c             68956\nr11            0x0                 0\nsp             0x4080028c          0x4080028c\nlr             0x10908             67848\npc             0x105c0             0x105c0 <main+4>\n(gdb) x\/3wx 0x4080028c\n0x4080028c:\t0x00010d5c\t0x00000000\t0x00010908<\/pre>\n<\/div><\/div>\n\n\n\n
push \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 r4 r11 lr \ub808\uc9c0\uc2a4\ud130\uac12\uc774 \uac01\uac01 sp \uc8fc\uc18c\uc5d0 \ub4e4\uc5b4\uac04\ub2e4.
push \ud638\ucd9c\uc804 sp \uc8fc\uc18c\ub294 0x40800298\uc778\ub370,
\uc2a4\ud0dd\uc774 \ub192\uc740 \uc8fc\uc18c\uc5d0\uc11c \ub0ae\uc740 \ubc29\ud5a5\uc73c\ub85c \uc800\uc7a5\ub418\ub294 \ub9ac\ud2c0\uc5d4\ub514\uc548 \ubc29\uc2dd\uc774\uae30\uc5d0 <\/p>\n\n\n\n
0x4080028c -> 0x00010d5c (r4)
0x40800290 -> 0x0 (r11)
0x40800294 -> 0x00010908 (lr)<\/p>\n\n\n\n
\uc774\ub807\uac8c \uc800\uc7a5\ub418\uba70,
\ud558\ub098\uc758 opcode\ub97c \uc2e4\ud589\ud560\ub54c\ub9c8\ub2e4 pc\ub294 \ud56d\uc0c1 4\uc529 \uc99d\uac00\ud55c\ub2e4.
arm \uc544\ud0a4\ud14d\ucc98\uac00 4\ubc14\uc774\ud2b8\uc758 \uace0\uc815 \uae38\uc774\uc778 opcode\ub97c \uac00\uc9c0\uace0 \uc788\ub294 RISC \ubc29\uc2dd\uc774\uae30\uc5d0 \ud56d\uc0c1 4\uc774\ub2e4.
(THUMB \ubaa8\ub4dc\uc77c \uacbd\uc6b0, +2)<\/p>\n\n\n\n
sp \ub808\uc9c0\uc2a4\ud130\uac12\uc740 \uc774\uc81c r4, r11, sp\uac00 \uc800\uc7a5\ub418\uc5c8\uae30\uc5d0
sp\uac12\uc740 12\ub97c \ube80 0x4080028c \uac12\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n
\n
0x000105c0 <+4>:\tadd\tr11, sp, #8<\/pre>\n<\/div><\/div>\n\n\n\n
r11 \ub808\uc9c0\uc2a4\ud130\uc5d0 sp \uac12 + 8\uc744 \ub354\ud55c \uac12\uc774 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n
r11 \ub808\uc9c0\uc2a4\ud130\ub294 \ubcf4\ud1b5 \ud504\ub808\uc784 \ud3ec\uc778\ud130\ub85c \uc0ac\uc6a9\ub418\uba70, \uc9c0\uc5ed \ubcc0\uc218\ub098 \ub9e4\uac1c \ubcc0\uc218\uc5d0 \uc811\uadfc\ud558\ub294\ub370 \uc0ac\uc6a9\ub41c\ub2e4.<\/p>\n\n\n\n
\n
0x000105c4 <+8>:\tsub\tsp, sp, #116\t; 0x74<\/pre>\n<\/div><\/div>\n\n\n\n
sp \uac12\uc5d0 0x74\ub97c \ube7c\uc11c 
\ube80 \ud06c\uae30\ub9cc\ud07c \uc9c0\uc5ed\ubcc0\uc218\uc5d0 \ub2f4\uc744 \ub9cc\ud55c \uacf5\uac04\uc744 \uc0dd\uc131\ud558\uae30 \uc704\ud574 \uc2a4\ud0dd \uacf5\uac04\uc744 \ud655\uc7a5\ud55c\ub2e4.<\/p>\n\n\n\n
\uc5ec\uae30\uae4c\uc9c0 ARM \uc544\ud0a4\ud14d\ucc98\uc5d0\uc11c\uc758 \ud504\ub864\ub85c\uadf8\ub77c\uace0 \ubcf4\uba74 \ub420 \uac83 \uac19\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c key1, key2, key3 \ud568\uc218\uc5d0 \ub300\ud574 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n\n\n\n
key1<\/h2>\n\n\n\n
\n
(gdb) disas key1\nDump of assembler code for function key1:\n   0x00010548 <+0>:\tpush\t{r11}\t\t; (str r11, [sp, #-4]!)\n   0x0001054c <+4>:\tadd\tr11, sp, #0\n   0x00010550 <+8>:\tmov\tr3, pc\n   0x00010554 <+12>:\tnop\t\t\t; (mov r0, r0)\n   0x00010558 <+16>:\tmov\tr0, r3\n   0x0001055c <+20>:\tadd\tsp, r11, #0\n   0x00010560 <+24>:\tpop\t{r11}\t\t; (ldr r11, [sp], #4)\n   0x00010564 <+28>:\tbx\tlr\nEnd of assembler dump.<\/pre>\n<\/div><\/div>\n\n\n\n
x86_64\uc5d0\uc11c \ub9ac\ud134\uac12\uc774 rax\ub85c \uc800\uc7a5\ub418\ub294 \uac83\uacfc \uac19\uc774 
ARM \uc544\ud0a4\ud14d\ucc98\uc5d0\uc11c\uc758 \ub9ac\ud134\uac12\uc740 \ubcf4\ud1b5 r0 \ub808\uc9c0\uc2a4\ud130\uc5d0 \ud574\ub2f9\ub41c\ub2e4.<\/p>\n\n\n\n
r3 \ub808\uc9c0\uc2a4\ud130\uac12\uc744 \ud1b5\ud574 \ub9ac\ud134\uac12\uc774 \uc9c0\uc815\ub418\ub294 \uac83\uc744 \uc54c \uc218 \uc788\ub294\ub370,
\uc5ec\uae30\uc11c \uc8fc\uc758\ud560 \uc810\uc740 pc\uac12\uc774 0x10550\uc73c\ub85c r3 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ub418\uc9c0 \uc54a\uace0 +8\uc744 \ub354\ud55c 0x10558<\/strong> \uac12\uc774 \ub41c\ub2e4\ub294 \uc810\uc774\ub2e4!<\/p>\n\n\n\n
\uc774\ub7ec\ud55c \uc774\uc720\ub294 ARM \ud30c\uc774\ud504\ub77c\uc778 \ud2b9\uc131 <\/strong>\ub54c\ubb38\uc774\ub77c\uace0 \ud55c\ub2e4.
Reference: 
https:\/\/cheesehack.tistory.com\/104<\/a><\/p>\n\n\n\n
ARM \ud30c\uc774\ud504\ub77c\uc778 \ud2b9\uc131<\/strong><\/h4>\n\n\n\n
ARM \ud30c\uc774\ud504\ub77c\uc778\uc740 execute \ub2e8\uacc4\ub97c \uc644\uc804\ud788 \ud1b5\uacfc\ud560 \ub54c\uae4c\uc9c0 \uba85\ub839\uc5b4\ub97c \ucc98\ub9ac\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0,
execute \ub2e8\uacc4\uc5d0\uc11c\ub294 PC(Program Counter)\uac00 \ud56d\uc0c1 \uba85\ub839\uc5b4 \uc8fc\uc18c + 8 \ubc14\uc774\ud2b8\ub97c \uac00\ub9ac\ud0a8\ub2e4.<\/strong>
(\ub2e8, \ud504\ub85c\uc138\uc11c\uac00 Thumb \uc0c1\ud0dc\uc778 \uacbd\uc6b0 PC\ub294 \ud56d\uc0c1 \uba85\ub839\uc5b4 \uc8fc\uc18c + 4 \ubc14\uc774\ud2b8\ub97c \uac00\ub9ac\ud0a8\ub2e4.
Thumb \ubaa8\ub4dc = 16\ube44\ud2b8 \ud504\ub85c\uadf8\ub7a8 \ud638\ud658\uc131\uc744 \uc704\ud574 \ucd5c\uc801\ud654\ub41c \ubaa8\ub4dc)<\/p>\n\n\n\n
pc      fetch\npc - 4  decode\npc - 8  execute\n<\/strong><\/code>\uc704 \ud45c\ub294 fetch -> decode -> execute \ub85c \uc774\uc5b4\uc9c0\ub294 \ud30c\uc774\ud504\ub77c\uc778 \ud2b9\uc131\ub54c\ubb38\uc5d0 pc \uac12\uc774 fetch \ub2e8\uacc4\uc758 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a4\uace0 \uc788\uc5b4 pc \ub97c \uc77d\uc5b4 \ub4e4\uc774\ub294 \uc2e4\uc81c \uba85\ub839\uc218\ud589 \ub2e8\uacc4\uc5d0\uc11c\ub294 ARM \ubaa8\ub4dc\uc758 \uacbd\uc6b0 8byte, Thumb \ubaa8\ub4dc\uc5d0\uc11c\ub294 4 \ubc14\uc774\ud2b8\ub9cc\ud07c \ud56d\uc0c1 \uc55e\uc11c \uc788\ub2e4<\/strong><\/pre>\n\n\n\n
\ub530\ub77c\uc11c key1\uc758 \ub9ac\ud134\uac12\uc740 0x10558<\/strong>\uc774 \ub418\uaca0\ub2e4.<\/p>\n\n\n\n
key2<\/h2>\n\n\n\n
\n
(gdb) disas key2\nDump of assembler code for function key2:\n   0x00010568 <+0>:\tpush\t{r11}\t\t; (str r11, [sp, #-4]!)\n   0x0001056c <+4>:\tadd\tr11, sp, #0\n   0x00010570 <+8>:\tpush\t{r6}\t\t; (str r6, [sp, #-4]!)\n   0x00010574 <+12>:\tadd\tr6, pc, #1\n   0x00010578 <+16>:\tbx\tr6\n   0x0001057c <+20>:\tmov\tr3, pc\n   0x0001057e <+22>:\tadds\tr3, #4\n   0x00010580 <+24>:\tpush\t{r3}\n   0x00010582 <+26>:\tpop\t{pc}\n   0x00010584 <+28>:\tpop\t{r6}\t\t; (ldr r6, [sp], #4)\n   0x00010588 <+32>:\tnop\t\t\t; (mov r0, r0)\n   0x0001058c <+36>:\tmov\tr0, r3\n   0x00010590 <+40>:\tadd\tsp, r11, #0\n   0x00010594 <+44>:\tpop\t{r11}\t\t; (ldr r11, [sp], #4)\n   0x00010598 <+48>:\tbx\tlr\nEnd of assembler dump.<\/pre>\n<\/div><\/div>\n\n\n\n
\ud6c4\ubc18\ubd80\ucbe4\uc744 \uc0b4\ud3b4\ubcf4\uba74 
mov r0, r3…
r3 \ub808\uc9c0\uc2a4\ud130 \uac12\uc5d0 \uc758\ud574 \ub9ac\ud134\uac12\uc774 \uc9c0\uc815\ub418\ub294 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
0x0001057c <+20>: mov r3, pc
0x0001057e <+22>: adds r3, #4
\uc5ec\uae30\uc11c\ubd80\ud130 2\ubc14\uc774\ud2b8\uc529 opcode\uac00 \uc2e4\ud589\ub418\uae30 \ub54c\ubb38\uc5d0 Thumb<\/strong> \uc0c1\ud0dc\uc774\uace0,<\/p>\n\n\n\n
0x0001057c <+20>: mov r3, pc \uc5d0\uc11c
r3\ub294 pc \uac12\uc5d0 4\ub97c \ub354\ud55c, 0x0001057c + 4 = 0x10580\uc774 \ub418\uace0,<\/p>\n\n\n\n
0x0001057e <+22>: adds r3, #4 \uc5d0\uc11c
r3\ub294 \uae30\uc874 r3\uac12\uc5d0 4\ub97c \ub354\ud55c, 0x10584 + 4 = 0x10584<\/strong>\uac00 \ub418\uaca0\ub2e4.<\/p>\n\n\n\n
\ub530\ub77c\uc11c key2\uc758 \ub9ac\ud134\uac12\uc740 0x10584<\/strong>\uc774 \ub418\uaca0\ub2e4.<\/p>\n\n\n\n
key3<\/h2>\n\n\n\n
\n
(gdb) disas key3\nDump of assembler code for function key3:\n   0x0001059c <+0>:\tpush\t{r11}\t\t; (str r11, [sp, #-4]!)\n   0x000105a0 <+4>:\tadd\tr11, sp, #0\n   0x000105a4 <+8>:\tmov\tr3, lr\n   0x000105a8 <+12>:\tnop\t\t\t; (mov r0, r0)\n   0x000105ac <+16>:\tmov\tr0, r3\n   0x000105b0 <+20>:\tadd\tsp, r11, #0\n   0x000105b4 <+24>:\tpop\t{r11}\t\t; (ldr r11, [sp], #4)\n   0x000105b8 <+28>:\tbx\tlr\nEnd of assembler dump.<\/pre>\n<\/div><\/div>\n\n\n\n
\ud6c4\ubc18\ubd80\ucbe4\uc744 \uc0b4\ud3b4\ubcf4\uba74 
0x000105ac <+16>: mov r0, r3
\ub9c8\ucc2c\uac00\uc9c0\ub85c, r3 \ub808\uc9c0\uc2a4\ud130 \uac12\uc5d0 \uc758\ud574 \ub9ac\ud134\uac12\uc774 \uc9c0\uc815\ub418\ub294 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\uc704\ub85c \ucb49\ucb49 \uc0b4\ud3b4\ubcf4\uba74,<\/p>\n\n\n\n
0x000105a4 <+8>: mov r3, lr<\/p>\n\n\n\n
lr \ub808\uc9c0\uc2a4\ud130\uac12\uc73c\ub85c r3 \ub808\uc9c0\uc2a4\ud130\uac12\uc774 \uc9c0\uc815\ub418\ub294\ub370, 
\uc5ec\uae30\uc11c lr\uc740  \ub9c1\ud06c \ub808\uc9c0\uc2a4\ud130\ub85c \uc11c\ube0c\ub8e8\ud2f4 \ud6c4\uc5d0 \ub9ac\ud134 \uc8fc\uc18c\uac00 \uc800\uc7a5\ub418\uc5b4\uc788\ub2e4.<\/p>\n\n\n\n
\n
(gdb) disas main\nDump of assembler code for function main:\n   ...\n   0x0001060c <+80>:\tbl\t0x1059c <key3>\n   0x00010610 <+84>:\tmov\tr3, r0\n   ...\nEnd of assembler dump.<\/pre>\n<\/div><\/div>\n\n\n\n
\ub3cc\uc544\uac08 \ub9ac\ud134 \uc8fc\uc18c\ub294 0x00010610 \uc8fc\uc18c\ub85c, 
\ub530\ub77c\uc11c key3\uc758 \ub9ac\ud134\uac12\uc740 0x10610<\/strong>\uc774 \ub418\uaca0\ub2e4.<\/p>\n\n\n\n
\uc774\ub807\uac8c \ubaa8\ub4e0 key\uc758 \ub9ac\ud134\uac12\uc744 \ub354\ud558\uba74,
0x10558<\/strong><\/strong> + 0x10584<\/strong> + 0x10610<\/strong> 
= 0x310ec 
= 200940<\/strong>\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n
\ud55c\ubc88 \ud655\uc778\ud574\ubcf4\uba74,<\/p>\n\n\n\n
\n
seo@raspberrypi:~\/Desktop $ qemu-arm .\/leg\nDaddy has very strong arm! : 200940\nCongratz!<\/pre>\n<\/div><\/div>\n\n\n\n
\uac12\uc774 \ub9de\uc558\ub2e4\uace0 “Congratz!” \ubb38\uc790\uc5f4\uc774 \ub098\ud0c0\ub09c\ub2e4!<\/p>\n\n\n\n
\uc5d0\ud544\ub85c\uadf8 \ubd84\uc11d<\/h2>\n\n\n\n
\n
0x00010694 <+216>:\tsub\tsp, r11, #8\n0x00010698 <+220>:\tpop\t{r4, r11, pc}<\/pre>\n<\/div><\/div>\n\n\n\n
0x00010694 <+216>: sub sp, r11, #8
\ud504\ub864\ub85c\uadf8\uc5d0\uc11c add r11, sp, #8<\/code> \uba85\ub839\uc5b4\ub85c r11 \ub808\uc9c0\uc2a4\ud130\uac12\uc744 sp \ub808\uc9c0\uc2a4\ud130\uac12+8\ub85c \uc9c0\uc815\ud588\uae30 \ub54c\ubb38\uc5d0, 
\uc5d0\ud544\ub85c\uadf8\uc5d0\uc11c \uc774\ub97c \ub2e4\uc2dc \ube7c\uc90c\uc73c\ub85c\uc368 sp \ub808\uc9c0\uc2a4\ud130\uac12\uc744 \uc6d0\ub798 \uc704\uce58\ub85c \ubcf5\uc6d0\ud55c\ub2e4.<\/p>\n\n\n\n
0x00010698 <+220>: pop {r4, r11, pc}
\uc2a4\ud0dd\uc758 \ucd5c\uc0c1\uc704 \uac12\ub4e4\uc744 r4, r11, pc \ub808\uc9c0\uc2a4\ud130\uac12\uc5d0 \uac01\uac01 \ubcf5\uc0ac\ud558\uace0 
\uc2a4\ud0dd \ud3ec\uc778\ud130 sp<\/code>\ub97c \uc138 \ub808\uc9c0\uc2a4\ud130 \uac12\uc744 \ube80 \ub9cc\ud07c\uc758 \ud06c\uae30\uc778 12\ub97c \ub354\ud558\uc5ec \ub2e4\uc2dc \uc99d\uac00\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n
Solution<\/h2>\n\n\n\n
\n
key1 = 0x00008cdc + 8 = 0x8ce4\nkey2 = 0x00008d04 + 4 + 4 = 0x8d0c\nkey3 = lr = 0x00008d80\n\nkey1 + key2 + key3 = 0x1a770 = 108400<\/pre>\n<\/div><\/div>\n\n\n\n
Result<\/h2>\n\n\n\n
\n
...\ncttyhack: can't open '\/dev\/ttyS0': No such file or directory\nsh: can't access tty; job control turned off\n\/ $ ls\nbin      dev      flag     linuxrc  root     sys\nboot     etc      leg      proc     sbin     usr\n\/ $ .\/leg\nDaddy has very strong arm! : 108400\nCongratz!\nMy daddy has a lot of ARMv5te muscle!\n\/ $ <\/pre>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
Description Daddy told me I should study arm.But I prefer to study my leg! Download : http:\/\/pwnable.kr\/bin\/leg.cDownload : http:\/\/pwnable.kr\/bin\/leg.asm ssh leg@pwnable.kr -p2222 (pw:guest) Source Code leg.c \uc81c\ub300\ub85c \ubb38\uc81c\ub97c \uc774\ud574\ud558\uae30 \uc704\ud574 \uc704 \uc18c\uc2a4\ucf54\ub4dc\ub97c \uadf8\ub300\ub85c \ubcf5\ubd99\ud574\uc11c armv5teji \uc544\ud0a4\ud14d\ucc98\ub85c \uc815\uc801 \ud06c\ub85c\uc2a4 \ucef4\ud30c\uc77c\uc744 \ud55c \ub2e4\uc74c, qemu\ub85c \uc2e4\ud589\uc2dc\ud0a4\uace0 \ub514\ubc84\uac70\ub97c \ud1b5\ud574 \uc9c1\uc811 \ubd84\uc11d\ud574\ubcf4\ub824\uace0 \ud55c\ub2e4. \uc2e4\ud589\uc774 \uc798\ub418\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4. Disassembled… \ub354 \ubcf4\uae30 »leg<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[41,25,43],"class_list":["post-2552","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-arm","tag-pwnable","tag-stack-frame"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2552"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2552\/revisions"}],"predecessor-version":[{"id":2553,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2552\/revisions\/2553"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}