{"id":3382,"date":"2025-04-22T02:26:35","date_gmt":"2025-04-21T17:26:35","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3382"},"modified":"2025-04-22T02:27:38","modified_gmt":"2025-04-21T17:27:38","slug":"lactf2024-technically-correct","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3382","title":{"rendered":"[LACTF2024] technically-correct"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">file \/ readelf<\/h3>\n\n\n\n<p>ELF 32-bit?<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ file technically_correct\ntechnically_correct: ELF 32-bit MSB *unknown arch 0x3e00*<\/pre>\n\n\n\n<p>elf \ud5e4\ub354\uac00 \uae68\uc838\uc788\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ readelf -a .\/technically_correct\nELF Header:\n  Magic:   7f 45 4c 46 01 02 a8 9e b6 21 74 80 06 55 b8 e5\n  Class:                             ELF32\n  Data:                              2's complement, big endian\n  Version:                           168 &lt;unknown>\n  OS\/ABI:                            &lt;unknown: 9e>\n  ABI Version:                       182\n  Type:                              &lt;unknown>: 200\n  Machine:                           &lt;unknown>: 0x3e00\n  Version:                           0x6ed7b4c7\n  Entry point address:               0x37c184d0\n  Start of program headers:          3338993664 (bytes into file)\n  Start of section headers:          973078528 (bytes into file)\n  Flags:                             0x0\n  Size of this header:               36406 (bytes)\n  Size of program headers:           8300 (bytes)\n  Number of program headers:         15801\n  Size of section headers:           35328 (bytes)\n  Number of section headers:         56772\n  Section header string table index: 5298\nreadelf: Warning: The e_shentsize field in the ELF header is larger than the size of an ELF section header\nreadelf: Error: Reading 2005641216 bytes extends past end of file for section headers\nreadelf: Error: Section headers are not available!\nreadelf: Error: Too many program headers - 0x3db9 - the file is not that big\n\nThere is no dynamic section in this file.\nreadelf: Error: Too many program headers - 0x3db9 - the file is not that big<\/pre>\n\n\n\n<p>IDA Pro \/ Ghidra\ub85c\ub3c4 \uc5f4\ub9ac\uc9c0 \uc54a\uc74c.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"384\" height=\"123\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-60.png\" alt=\"\" class=\"wp-image-3383\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-60.png 384w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-60-300x96.png 300w\" sizes=\"auto, (max-width: 384px) 100vw, 384px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"790\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-61.png\" alt=\"\" class=\"wp-image-3384\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-61.png 606w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-61-230x300.png 230w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">strace<\/h3>\n\n\n\n<p>ptrace \uc548\ud2f0 \ub514\ubc84\uae45\uc774 \ub4e4\uc5b4\uac00\uc788\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ strace -f .\/technically_correct\nexecve(\".\/technically_correct\", [\".\/technically_correct\"], 0x7ffcae644878 \/* 24 vars *\/) = 0\nptrace(PTRACE_TRACEME)                  = -1 EPERM (Operation not permitted)\nexit(0)                                 = ?\n+++ exited with 0 +++<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">gdb<\/h3>\n\n\n\n<p>ELF \ud30c\uc77c \ud3ec\ub9f7\uc774 \uc774\uc0c1\ud574\uc11c gdb\ub85c\ub3c4 \uc548\ubd99\uc5ec\uc9d0.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ gdb .\/technically_correct\n...\nGEF for linux ready, type `gef' to start, `gef config' to configure\n90 commands loaded and 5 functions added for GDB 9.2 in 1.37ms using Python engine 3.8\n\"\/home\/seo\/study\/LACTF2024\/technically-correct\/.\/technically_correct\": not in executable format: file format not recognized<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">gdbserver<\/h3>\n\n\n\n<p>\ub514\ubc84\uac70 \ubd99\uc774\uae30\uc804\uc5d0 \ubc14\uc774\ub108\ub9ac \ub0b4\uc5d0\uc11c <code>ptrace(PTRACE_TRACEME)<\/code> \ub97c \ud638\ucd9c\ud558\uae30\uc5d0 \ub514\ubc84\uae45\uc774 \uc548\ubd99\uc5ec\uc9c0\ub294\uac70 \uac19\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ gdbserver :1234 .\/technically_correct\nProcess .\/technically_correct created; pid = 4052\nListening on port 1234\n...\n\nseo@ubuntu:~\/study\/LACTF2024\/technically-correct\/ftrace-hook$ gdb -p 4052\nwarning: process 4052 is already traced by process 4048\nptrace: Operation not permitted.<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Run<\/h3>\n\n\n\n<p>\ub180\ub78d\uac8c\ub3c4, ELF \uad6c\uc870 \uaea0\uc838\ub3c4 \uc2e4\ud589\uc740 \ub428. no \ucd9c\ub825.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ .\/technically_correct\nno<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\ub514\ubc84\uae45 \ubc29\ubc95<\/h3>\n\n\n\n<p><a href=\"https:\/\/github.com\/ilammy\/ftrace-hook\">https:\/\/github.com\/ilammy\/ftrace-hook<\/a><\/p>\n\n\n\n<p>ftrace-hook \ud504\ub85c\uc81d\ud2b8\ub97c \uc774\uc6a9\ud558\uc5ec ptrace \ucee4\ub110 \ud568\uc218 \ud6c4\ud0b9 \ucf54\ub4dc \ucd94\uac00.<\/p>\n\n\n\n<p>ptrace \ud6c4\ud0b9 \ud568\uc218\uc5d0 \ub2e4\uc74c \uc870\uac74\uc744 \ucd94\uac00\ud568.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud504\ub85c\uc138\uc2a4 \uc774\ub984\uc774 \ubb38\uc81c \ud30c\uc77c \uc774\ub984\uc778 \u201cprob\u201d\uc77c \uacbd\uc6b0\n<ul class=\"wp-block-list\">\n<li>&#8220;\/tmp\/exit\u201d \ud30c\uc77c\uc774 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc744 \uacbd\uc6b0, \uacc4\uc18d \ubb34\ud55c \ub8e8\ud504<\/li>\n\n\n\n<li>\ud30c\uc77c\uc774 \uc874\uc7ac\ud560 \uacbd\uc6b0, <code>real_sys_ptrace<\/code> \ud638\ucd9c\ud558\uc9c0 \uc54a\uace0 return 0; \ubc18\ud658.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"diff\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">--- .\/ftrace_hook.c.1\t2025-04-21 05:10:09.857303366 -0700\n+++ .\/ftrace_hook.c\t2025-04-21 05:09:38.213003904 -0700\n@@ -15,6 +15,7 @@\n #include &lt;linux\/uaccess.h>\n #include &lt;linux\/version.h>\n #include &lt;linux\/kprobes.h>\n+#include &lt;linux\/delay.h>  \n \n MODULE_DESCRIPTION(\"Example module hooking clone() and execve() via ftrace\");\n MODULE_AUTHOR(\"ilammy &lt;a.lozovsky@gmail.com>\");\n@@ -310,6 +311,42 @@\n \n \treturn ret;\n }\n+\n+\/* \uc6d0\ubcf8 syscall \ud568\uc218 \ud3ec\uc778\ud130 *\/\n+static asmlinkage long (*real_sys_ptrace)(struct pt_regs *regs);\n+\n+\/* \ud6c4\ud0b9 \ud568\uc218 *\/\n+static asmlinkage long fh_sys_ptrace(struct pt_regs *regs)\n+{\n+    long ret;\n+    unsigned long request = regs->di; \/* \uccab \ubc88\uc9f8 \uc778\uc790: \uc694\uccad \ud0c0\uc785 *\/\n+    pid_t target = (pid_t)regs->si;   \/* \ub450 \ubc88\uc9f8 \uc778\uc790: \ub300\uc0c1 PID *\/\n+\n+    pr_info(\"ptrace called by %s (pid:%d), req:%lu, target:%d\\n\",\n+            current->comm, current->pid,\n+            request, target);\n+\t\n+\tif (strcmp(current->comm, \"prob\") == 0) {\n+\t\tstruct file *file;\n+\t\n+\t    while (1) {\n+\t\t    file = filp_open(\"\/tmp\/exit\", O_RDONLY, 0);\n+\t\t    if (!IS_ERR(file)) {\n+\t\t        \/* \ud30c\uc77c\uc744 \ucc3e\uc558\uc73c\uba74 \ub2eb\uace0 \ub8e8\ud504 \ud0c8\ucd9c *\/\n+\t\t        filp_close(file, NULL);\n+\t\t        pr_info(\"fh_sys_exit: \/tmp\/exit found, proceeding exit\\n\");\n+\t\t        return 0;\n+\t\t    }\n+\t\t    \/* \uc5c6\uc73c\uba74 1\ucd08 \ub300\uae30 \ud6c4 \ub2e4\uc2dc \ud655\uc778 *\/\n+\t\t    msleep(1000);\n+\t\t}\n+\t}\n+\n+    \/* \uc6d0\ubcf8 ptrace \ud638\ucd9c *\/\n+    ret = real_sys_ptrace(regs);\n+\n+    return ret;\n+}\n #else\n static asmlinkage long (*real_sys_execve)(const char __user *filename,\n \t\tconst char __user *const __user *argv,\n@@ -356,6 +393,7 @@\n static struct ftrace_hook demo_hooks[] = {\n \tHOOK(\"sys_clone\",  fh_sys_clone,  &amp;real_sys_clone),\n \tHOOK(\"sys_execve\", fh_sys_execve, &amp;real_sys_execve),\n+\tHOOK(\"sys_ptrace\", fh_sys_ptrace, &amp;real_sys_ptrace),\n };\n \n static int fh_init(void)<\/pre>\n\n\n\n<p>\ud6c4\ud0b9 \ubaa8\ub4c8\uc744 \uc124\uce58\ud558\uba74, ptrace\uc5d0\uc11c \uba48\ucdb0\uc788\ub2e4\uac00<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ strace .\/prob\nexecve(\".\/prob\", [\".\/prob\"], 0x7ffe501d2cb0 \/* 24 vars *\/) = 0\nptrace(PTRACE_TRACEME<\/pre>\n\n\n\n<p>\/tmp\/exit \ud30c\uc77c \uc0dd\uc131\uc2dc, \uacc4\uc18d \uc9c4\ud589\ub418\uc5b4 \uc548\ud2f0 \ub514\ubc84\uae45\uc774 \uc6b0\ud68c\ub428.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ strace .\/prob\nexecve(\".\/prob\", [\".\/prob\"], 0x7ffe501d2cb0 \/* 24 vars *\/) = 0\nptrace(PTRACE_TRACEME)                  = 0\nwrite(1, \"no\\n\", 3no\n)                     = 3\nexit(0)                                 = ?\n+++ exited with 0 +++<\/pre>\n\n\n\n<p>gdbserver\ub85c \ub2e4\uc2dc \ub514\ubc84\uae45 \ubd99\uc5ec\ubcf4\uba74, \uadf8\ub798\ub3c4 \uc548\ub428.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/build\/gdb-gAcuhh\/gdb-9.2\/gdb\/gdbserver\/regcache.c:257: A problem internal to GDBserver has been detected.\nUnknown register pkru requested\n...\n\ngef\u27a4  target remote :1234\nRemote debugging using :1234\nRemote connection closed<\/pre>\n\n\n\n<p>\/tmp\/exit \ud30c\uc77c\uc744 \uc9c0\uc6b0\uace0, .\/prob \uc2e4\ud589. ptrace \ub2e8\uacc4\uc5d0 \uba48\ucdb0\uc788\ub294 \uc0c1\ud0dc\uc5d0\uc11c gdb -p &lt;pid&gt;\ub85c \ubd99\uc784.<\/p>\n\n\n\n<p>\uadf8\ub7ec\uba74, gdb \ucc3d\uc5d0\uc11c Attaching to process 5333 \uba54\uc2dc\uc9c0\uc640 \ud568\uaed8 \uba48\ucda4.<\/p>\n\n\n\n<p>\uc774 \uc0c1\ud0dc\uc5d0\uc11c \/tmp\/exit \ud30c\uc77c \uc0dd\uc131\ud558\uba74, gdb \ucc3d\uc5d0\uc11c \ub514\ubc84\uac70\uac00 \uc131\uacf5\uc801\uc73c\ub85c \ubd99\uc5ec\uc9d0.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct\/ftrace-hook$ gdb -p 5333\nGNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2\nCopyright (C) 2020 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType \"show copying\" and \"show warranty\" for details.\nThis GDB was configured as \"x86_64-linux-gnu\".\nType \"show configuration\" for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    &lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type \"help\".\nType \"apropos word\" to search for commands related to \"word\".\nGEF for linux ready, type `gef' to start, `gef config' to configure\n90 commands loaded and 5 functions added for GDB 9.2 in 2.02ms using Python engine 3.8\nAttaching to process 5333\n\nwarning: \"\/home\/seo\/study\/LACTF2024\/technically-correct\/prob\": not in executable format: file format not recognized\n\nwarning: `\/home\/seo\/study\/LACTF2024\/technically-correct\/prob': can't read symbols: file format not recognized.\n\nwarning: Could not load vsyscall page because no executable was specified\n0x000005c7d084c577 in ?? ()\n[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n[!] Command 'registers' failed to execute properly, reason: max() arg is an empty sequence\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0x007fff0b643ca0\u2502+0x0000: 0x0000000000000001\n0x007fff0b643ca8\u2502+0x0008: 0x007fff0b64573f  \u2192  0x5300626f72702f2e (\".\/prob\"?)\n0x007fff0b643cb0\u2502+0x0010: 0x0000000000000000\n0x007fff0b643cb8\u2502+0x0018: 0x007fff0b645746  \u2192  \"SHELL=\/bin\/bash\"\n0x007fff0b643cc0\u2502+0x0020: 0x007fff0b645756  \u2192  \"PWD=\/home\/seo\/study\/LACTF2024\/technically-correct\"\n0x007fff0b643cc8\u2502+0x0028: 0x007fff0b645788  \u2192  \"LOGNAME=seo\"\n0x007fff0b643cd0\u2502+0x0030: 0x007fff0b645794  \u2192  \"XDG_SESSION_TYPE=tty\"\n0x007fff0b643cd8\u2502+0x0038: 0x007fff0b6457a9  \u2192  \"MOTD_SHOWN=pam\"\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:generic: \u2500\u2500\u2500\u2500\n   0x5c7d084c56a                  test   DWORD PTR [rdi+0x3da33687], ecx\n   0x5c7d084c570                  mov    eax, 0x65\n   0x5c7d084c575                  syscall\n[!] Command 'context' failed to execute properly, reason:\ngef\u27a4<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis<\/h3>\n\n\n\n<p>\uc258\ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  x\/50i $rip-7\n   0x5c7d084c570:       mov    eax,0x65\n   0x5c7d084c575:       syscall\n=> 0x5c7d084c577:       test   eax,eax\n   0x5c7d084c579:       jne    0x5c7d084c603\n   0x5c7d084c57f:       pop    rsi\n   0x5c7d084c580:       cmp    rsi,0x2\n   0x5c7d084c584:       jl     0x5c7d084c5de\n   0x5c7d084c586:       pop    rsi\n   0x5c7d084c587:       pop    rsi\n   0x5c7d084c588:       movabs rbx,0xf84bc1f88e8\n   0x5c7d084c592:       movzx  eax,BYTE PTR [rsi]\n   0x5c7d084c595:       cmp    al,0xa\n   0x5c7d084c597:       je     0x5c7d084c5cf\n   0x5c7d084c599:       cmp    al,0x0\n   0x5c7d084c59b:       je     0x5c7d084c5cf\n   0x5c7d084c59d:       cmp    al,0x7e\n   0x5c7d084c59f:       ja     0x5c7d084c5de\n   0x5c7d084c5a1:       sub    al,0x20\n   0x5c7d084c5a3:       jb     0x5c7d084c5de\n   0x5c7d084c5a5:       lea    rdx,[rbx+rax*8]\n   0x5c7d084c5a9:       mov    rbx,QWORD PTR [rdx]\n   0x5c7d084c5ac:       xor    rbx,rdx\n   0x5c7d084c5af:       movabs r8,0xb216cb3c48c1e693\n   0x5c7d084c5b9:       imul   rbx,r8\n   0x5c7d084c5bd:       movabs r8,0xc200c6d3267c529d\n   0x5c7d084c5c7:       add    rbx,r8\n   0x5c7d084c5ca:       inc    rsi\n   0x5c7d084c5cd:       jmp    0x5c7d084c592\n   0x5c7d084c5cf:       movabs rcx,0x7038fc00be0\n   0x5c7d084c5d9:       cmp    rbx,rcx\n   0x5c7d084c5dc:       je     0x5c7d084c5ea\n   0x5c7d084c5de:       push   0xa6f6e\n   0x5c7d084c5e3:       mov    edx,0x3\n   0x5c7d084c5e8:       jmp    0x5c7d084c5f4\n   0x5c7d084c5ea:       push   0xa736579\n   0x5c7d084c5ef:       mov    edx,0x4\n   0x5c7d084c5f4:       mov    eax,0x1\n   0x5c7d084c5f9:       mov    edi,0x1\n   0x5c7d084c5fe:       mov    rsi,rsp\n   0x5c7d084c601:       syscall\n   0x5c7d084c603:       mov    eax,0x3c\n   0x5c7d084c608:       xor    edi,edi\n   0x5c7d084c60a:       syscall<\/pre>\n\n\n\n<p>\uc258\ucf54\ub4dc \ub364\ud504.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">dump binary memory sc.bin 0x5c7d084c570 0x5c7d084c60c<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\uac80\uc0ac<\/h3>\n\n\n\n<p>rsp\uc5d0 \uc788\ub294 \uac12\uc744 pop\ud574\uc11c rsi \uac12\uc774 2\ubcf4\ub2e4 \uc791\uc73c\uba74 \ubd84\uae30.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seg000:000000000000000F                 pop     rsi\nseg000:0000000000000010                 cmp     rsi, 2\nseg000:0000000000000014                 jl      short loc_6E    ; 'no\\n'<\/pre>\n\n\n\n<p>\uc5ec\uae30\uc11c rsi\ub294 \uace7 <code>argc<\/code>\ub97c \uc758\ubbf8\ud568. \uc989, \ud504\ub85c\uadf8\ub7a8 \uc2e4\ud589\uc2dc\ud0ac \ub54c \ub9e4\uac1c\ubcc0\uc218 \ud544\uc694.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  x\/10i $rip\n=> 0x5c7d084c57f:       pop    rsi\n   0x5c7d084c580:       cmp    rsi,0x2\n   0x5c7d084c584:       jl     0x5c7d084c5de\n   0x5c7d084c586:       pop    rsi\n   0x5c7d084c587:       pop    rsi\n   0x5c7d084c588:       movabs rbx,0xf84bc1f88e8\n   0x5c7d084c592:       movzx  eax,BYTE PTR [rsi]\n   0x5c7d084c595:       cmp    al,0xa\n   0x5c7d084c597:       je     0x5c7d084c5cf\n   0x5c7d084c599:       cmp    al,0x0\ngef\u27a4  x\/4gx $rsp\n0x7ffe4800aab0: 0x0000000000000001      0x00007ffe4800b73f\n0x7ffe4800aac0: 0x0000000000000000      0x00007ffe4800b746\ngef\u27a4  x\/gx 0x00007ffe4800b73f\n0x7ffe4800b73f: 0x5300626f72702f2e\ngef\u27a4  x\/4s 0x00007ffe4800b73f\n0x7ffe4800b73f: \".\/prob\"\n0x7ffe4800b746: \"SHELL=\/bin\/bash\"\n0x7ffe4800b756: \"PWD=\/home\/seo\/study\/LACTF2024\/technically-correct\"\n0x7ffe4800b788: \"LOGNAME=seo\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">loc_22 (0x5c7d084c592)<\/h3>\n\n\n\n<p>\uc2e4\ud589:<\/p>\n\n\n\n<p><code>.\/prob ABCDEFGHIJKLMNOPQRSTUVWXYZ<\/code><\/p>\n\n\n\n<p>al = 0x41 al\uc774 0xa\uc77c \uacbd\uc6b0, loc_5F \ubd84\uae30.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  x\/15i $rip\n=> 0x5c7d084c592:       movzx  eax,BYTE PTR [rsi]\n   0x5c7d084c595:       cmp    al,0xa\n   0x5c7d084c597:       je     0x5c7d084c5cf\ngef\u27a4  info reg rsi\nrsi            0x7fff4e2ae72b      0x7fff4e2ae72b\ngef\u27a4  x\/gx 0x7fff4e2ae72b\n0x7fff4e2ae72b: 0x4847464544434241\ngef\u27a4  si\ngef\u27a4  x\/15i $rip\n=> 0x5c7d084c595:       cmp    al,0xa\ngef\u27a4  info reg al\nal             0x41                0x41<\/pre>\n\n\n\n<p>al = 0x41 al\uc774 0\uc77c \uacbd\uc6b0, loc_5F \ubd84\uae30.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  x\/10i $rip\n=> 0x5c7d084c599:       cmp    al,0x0\n   0x5c7d084c59b:       je     0x5c7d084c5cf\n   0x5c7d084c59d:       cmp    al,0x7e\ngef\u27a4  info reg al\nal             0x41                0x41<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>loc_5F<\/li>\n<\/ul>\n\n\n\n<p>rcx\uac00 7038FC00BE0\uac12\uc774\uba74, \u201cyes\\n\u201d<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seg000:000000000000005F loc_5F:                                 ; CODE XREF: sub_0+27\u2191j\nseg000:000000000000005F                                         ; sub_0+2B\u2191j\nseg000:000000000000005F                 mov     rcx, 7038FC00BE0h\nseg000:0000000000000069                 cmp     rbx, rcx\nseg000:000000000000006C                 jz      short loc_7A    ; 'yes\\n'<\/pre>\n\n\n\n<p>al = 0x41 if al &gt; 0x7E \u2192 jump \u201cno\\n\u201d if al &lt; 0x20 \u2192 jump \u201cno\\n\u201d<\/p>\n\n\n\n<p><code>sub al, 20h<\/code>\uc5d0 \uc758\ud574 al \uac12\uc740 0x20 \uac10\uc18c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cmp     al, 7Eh         ; '~'\nja      short loc_6E    ; if al > 0x7E \u2192 jump\nsub     al, 20h         ; ' '\njb      short loc_6E    ; if al &lt; 0x20 \u2192 jump\n<\/pre>\n\n\n\n<p>\uc804\uccb4 \ubd84\uae30\ubb38 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seg000:0000000000000022\nseg000:0000000000000022 loc_22:                                 ; CODE XREF: sub_0+5D\u2193j\nseg000:0000000000000022                 movzx   eax, byte ptr [rsi]\nseg000:0000000000000025                 cmp     al, 0Ah\nseg000:0000000000000027                 jz      short loc_5F\nseg000:0000000000000029                 cmp     al, 0\nseg000:000000000000002B                 jz      short loc_5F\nseg000:000000000000002D                 cmp     al, 7Eh ; '~'\nseg000:000000000000002F                 ja      short loc_6E    ; 'no\\n'\nseg000:0000000000000031                 sub     al, 20h ; ' '\nseg000:0000000000000033                 jb      short loc_6E    ; 'no\\n'\nseg000:0000000000000035                 lea     rdx, [rbx+rax*8]\nseg000:0000000000000039                 mov     rbx, [rdx]\nseg000:000000000000003C                 xor     rbx, rdx\nseg000:000000000000003F                 mov     r8, 0B216CB3C48C1E693h\nseg000:0000000000000049                 imul    rbx, r8\nseg000:000000000000004D                 mov     r8, 0C200C6D3267C529Dh\nseg000:0000000000000057                 add     rbx, r8\nseg000:000000000000005A                 inc     rsi\nseg000:000000000000005D                 jmp     short loc_22<\/pre>\n\n\n\n<p>\uc804\uccb4\uc801\uc73c\ub85c, c\uc5b8\uc5b4\ub85c \uc7ac\uad6c\uc131\ud558\uba74, \ub2e4\uc74c\uacfc \uac19\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdint.h>\n\nint readbuf(uint64_t addr, void* output, size_t size) {\n    memcpy((void*)output, addr, size);\n    return 0;\n}\n\nuint64_t read64(uint64_t what) {\n    uint64_t value = 0;\n    readbuf(what, &amp;value, sizeof(value));\n    return value;\n}\n\nint main(int argc, char *argv[], char *envp[]) {\n    uint64_t rbx = 0x0F84BC1F88E8;\n    \/\/loop_21\n    char *input = argv[1];\n    printf(\"argv[1]: %s\\n\", input);\n    int rsi = 0;\n    while (1) {\n        if(input[rsi] == '\\n')\n            goto loc_5F;\n        if(input[rsi] == '\\0')\n            goto loc_5F;\n        if(input[rsi] > 0x7E)\n            goto loc_6E;\n        if(input[rsi] &lt; 0x20)\n            goto loc_6E;\n        input[rsi] -= 0x20;\n\n        uint64_t rdx = rbx + input[rsi]*8;\n        rbx = read64(rdx) ^ rdx;\n        uint64_t r8 = 0x0B216CB3C48C1E693;\n        rbx *= r8;\n        r8 = 0x0C200C6D3267C529D;\n        rbx += r8;\n\n        rsi+=1;\n    }\n\n    loc_5F:\n    printf(\"rbx: 0x%lx\\n\", rbx);\n    if(rbx == 0x7038FC00BE0) {\n        puts(\"yes\\n\");\n        return 0;\n    }\n\n    loc_6E:\n    puts(\"no\\n\");\n\n    return 0;\n}<\/pre>\n\n\n\n<p>\ubb38\uc81c \ud658\uacbd\uc744 \uc7ac\uad6c\uc131\uc2dc\ud0a4\uae30 \uc704\ud574 \ub364\ud504\ud568<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dump_all.py<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import gdb\nimport re\nimport os\n\nclass DumpAllMappings(gdb.Command):\n    \"\"\"dump-all: info proc mappings\ub97c \ud1b5\ud574 \ubaa8\ub4e0 \uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \ud30c\uc77c\ub85c \ub364\ud504\ud569\ub2c8\ub2e4.\n    \uc0ac\uc6a9\ubc95: (gdb) dump-all\n    \"\"\"\n\n    def __init__(self):\n        super(DumpAllMappings, self).__init__(\"dump-all\", gdb.COMMAND_USER)\n\n    def invoke(self, arg, from_tty):\n        inferior = gdb.selected_inferior()\n        try:\n            mappings = gdb.execute(\"info proc mappings\", to_string=True)\n        except gdb.error as e:\n            gdb.write(f\"info proc mappings \uba85\ub839\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4: {e}\\n\", gdb.STDERR)\n            return\n\n        # \uc815\uaddc \ud45c\ud604\uc2dd\uc744 \uc0ac\uc6a9\ud558\uc5ec \uac01 \uba54\ubaa8\ub9ac \uc601\uc5ed\uc758 \uc2dc\uc791 \uc8fc\uc18c\uc640 \ub05d \uc8fc\uc18c\ub97c \ucd94\ucd9c\ud569\ub2c8\ub2e4.\n        pattern = re.compile(r'^\\s*([0-9a-fA-Fx]+)\\s+([0-9a-fA-Fx]+)\\s+.*$')\n        for line in mappings.splitlines():\n            match = pattern.match(line)\n            if not match:\n                continue\n            start_str, end_str = match.groups()\n            try:\n                start = int(start_str, 16)\n                end = int(end_str, 16)\n                size = end - start\n                # \uba54\ubaa8\ub9ac \uc77d\uae30\n                try:\n                    mem = inferior.read_memory(start, size)\n                except gdb.MemoryError:\n                    gdb.write(f\"\uba54\ubaa8\ub9ac \uc77d\uae30 \uc2e4\ud328: {start_str} - {end_str}\\n\", gdb.STDERR)\n                    continue\n                # \ud30c\uc77c\uba85 \uc0dd\uc131 \ubc0f \uc4f0\uae30\n                filename = f\"{start_str}_{size}.bin\"\n                try:\n                    with open(filename, \"wb\") as f:\n                        f.write(mem.tobytes())\n                    gdb.write(f\"\uba54\ubaa8\ub9ac \ub364\ud504 \uc644\ub8cc: {filename}\\n\")\n                except IOError as e:\n                    gdb.write(f\"\ud30c\uc77c \uc4f0\uae30 \uc2e4\ud328: {filename}: {e}\\n\", gdb.STDERR)\n            except ValueError:\n                continue\n\nDumpAllMappings()<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Result<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  dump-all\n\uba54\ubaa8\ub9ac \ub364\ud504 \uc644\ub8cc: 0x1bd4eff000_4096.bin\n\uba54\ubaa8\ub9ac \ub364\ud504 \uc644\ub8cc: 0x387efe4000_4096.bin\n\uba54\ubaa8\ub9ac \ub364\ud504 \uc644\ub8cc: 0xe634a9f000_4096.bin\n...<\/pre>\n\n\n\n<p>\ub364\ud504\uc2dc\ud0a8 \uc5ec\ub7ec bin \ud30c\uc77c\ub4e4\uc744 .\/dumped \ud3f4\ub354\uc5d0 \ub193\uace0 \ucef4\ud30c\uc77c\ud574\uc11c \uc2e4\ud589\uc2dc\ud0a4\uba74<br>\ubb38\uc81c \ud658\uacbd\uc744 \uc7ac\uad6c\uc131\uc2dc\ud0ac \uc218 \uc788\uc74c.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>prob_self.c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdlib.h>\n#include &lt;fcntl.h>\n#include &lt;unistd.h>\n#include &lt;dirent.h>\n#include &lt;string.h>\n#include &lt;sys\/mman.h>\n#include &lt;errno.h>\n#include &lt;stdint.h>\n\n#define DUMP_DIR \".\/dumped\"\n\nint mmap_rwx_from_dumped() {\n    DIR *dir = opendir(DUMP_DIR);\n    if (!dir) {\n        perror(\"opendir\");\n        return 1;\n    }\n\n    struct dirent *entry;\n    char path[1024];\n\n    while ((entry = readdir(dir)) != NULL) {\n        if (entry->d_type != DT_REG) continue; \/\/ skip non-regular files\n\n        \/\/ \ud30c\uc77c\uba85 \ud30c\uc2f1: 0x\uc8fc\uc18c_\ud06c\uae30.bin\n        uint64_t base_addr = 0;\n        size_t size = 0;\n        if (sscanf(entry->d_name, \"0x%lx_%lu.bin\", &amp;base_addr, &amp;size) != 2) {\n            fprintf(stderr, \"\ud30c\uc77c\uba85 \ud30c\uc2f1 \uc2e4\ud328: %s\\n\", entry->d_name);\n            continue;\n        }\n\n        snprintf(path, sizeof(path), \"%s\/%s\", DUMP_DIR, entry->d_name);\n\n        \/\/ \ud30c\uc77c \uc5f4\uae30\n        int fd = open(path, O_RDONLY);\n        if (fd &lt; 0) {\n            perror(\"open\");\n            continue;\n        }\n\n        \/\/ mmap\n        void *mapped = mmap((void *)base_addr, size, PROT_READ | PROT_WRITE | PROT_EXEC,\n                            MAP_PRIVATE | MAP_FIXED, fd, 0);\n        if (mapped == MAP_FAILED) {\n            fprintf(stderr, \"mmap \uc2e4\ud328: %s - %s\\n\", entry->d_name, strerror(errno));\n            close(fd);\n            continue;\n        }\n\n        printf(\"\ub9e4\ud551 \uc131\uacf5: %s -> %p (%lu bytes)\\n\", entry->d_name, mapped, size);\n        close(fd);\n    }\n\n    closedir(dir);\n    return 0;\n}\n\nint readbuf(uint64_t addr, void* output, size_t size) {\n    memcpy((void*)output, addr, size);\n    return 0;\n}\n\nuint64_t read64(uint64_t what) {\n    uint64_t value = 0;\n    readbuf(what, &amp;value, sizeof(value));\n    return value;\n}\n\nint main(int argc, char *argv[], char *envp[]) {\n\n    mmap_rwx_from_dumped();\n\n    uint64_t rbx = 0x0F84BC1F88E8;\n    \/\/loop_21\n    char *input = argv[1];\n    printf(\"argv[1]: %s\\n\", input);\n    int rsi = 0;\n    while (1) {\n        if(input[rsi] == '\\n')\n            goto loc_5F;\n        if(input[rsi] == '\\0')\n            goto loc_5F;\n        if(input[rsi] > 0x7E)\n            goto loc_6E;\n        if(input[rsi] &lt; 0x20)\n            goto loc_6E;\n        input[rsi] -= 0x20;\n\n        uint64_t rdx = rbx + input[rsi]*8;\n        rbx = read64(rdx) ^ rdx;\n        uint64_t r8 = 0x0B216CB3C48C1E693;\n        rbx *= r8;\n        r8 = 0x0C200C6D3267C529D;\n        rbx += r8;\n\n        rsi+=1;\n    }\n\n    loc_5F:\n    printf(\"rbx: 0x%lx\\n\", rbx);\n    if(rbx == 0x7038FC00BE0) {\n        puts(\"yes\\n\");\n        return 0;\n    }\n\n    loc_6E:\n    puts(\"no\\n\");\n\n    return 0;\n}<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Result<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ gcc -o prob_self prob_self.c\n...\nseo@ubuntu:~\/study\/LACTF2024\/technically-correct$ .\/prob_self AA\n...\n\ub9e4\ud551 \uc131\uacf5: 0x1b5cc2b1000_4096.bin -> 0x1b5cc2b1000 (4096 bytes)\nargv[1]: AA\nrbx: 0xe58854d6000\nno<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">solve.c<\/h3>\n\n\n\n<p>\ub364\ud504\ub41c \uba54\ubaa8\ub9ac \uad6c\uac04\uc5d0\uc11c \ud2b9\uc815 \uc554\ud638\ud654\ub41c \ud328\ud134\uc744 \ubcf5\ud638\ud654\ud574 flag\ub97c \ucc3e\uc74c.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>.\/dumped<\/code> \ud3f4\ub354\uc5d0 \uc800\uc7a5\ub41c <code>0x\uc8fc\uc18c_\ud06c\uae30.bin<\/code> \ud30c\uc77c\ub4e4\uc744 \uc6d0\ub798\uc758 \uc8fc\uc18c\ub85c <code>RWX<\/code> \uad8c\ud55c\uc73c\ub85c <code>mmap()<\/code> \ud568<\/li>\n<\/ul>\n\n\n\n<p>\uc5ed\uc5f0\uc0b0 \ud30c\ud2b8: prob_self.c \/ solve.c<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>prob_self.c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">...\nrbx = read64(rdx) ^ rdx;\nuint64_t r8 = 0x0B216CB3C48C1E693;\nrbx *= r8;\nr8 = 0x0C200C6D3267C529D;\nrbx += r8;<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>solve.c\n<ul class=\"wp-block-list\">\n<li>rdx \uac12\uc744 \ucc3e\uc544\ub0b4\uae30 \uc704\ud574 \ub9f5\ud551\ub41c rwx \uc601\uc5ed\ub4e4 \uc911\uc5d0 8\ubc14\uc774\ud2b8\ub97c \uc77d\uc5b4 \uc0c1\uc751\ud558\ub294 rdx \uac12\uc744 \ucc3e\uc544\ub0c4.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">uint64_t rbx = 0x7038FC00BE0;\nrbx -= 0x0C200C6D3267C529D\nrbx *= modinv_newton(0x0B216CB3C48C1E693);\nuint64_t rdx = find_matching_rdx_in_mapped_regions(rbx);\n...<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>solve.c<\/li>\n<\/ul>\n\n\n\n<p>\uc774\ud6c4 rbx \uac12\uc744 key \uac12 \ubc94\uc704 0~0x5e\uae4c\uc9c0 \ube0c\ub8e8\ud2b8\ud3ec\uc2f1\ud558\uc5ec<br><code>find_matching_rdx_in_mapped_regions<\/code> \uc5d0\uc11c \uc0c1\uc751\ud558\ub294 rdx \uac12\uc744 \ucc3e\uc9c0 \ubabb\ud560\uc2dc \uacc4\uc18d key \uac12\uc744 \ub298\ub9bc.<\/p>\n\n\n\n<p>\ucc3e\uc744 \uacbd\uc6b0, +0x20\uc744 \ub354\ud574 \ubb38\uc790 \ud558\ub098\uc529 \ubd99\uc784.<\/p>\n\n\n\n<p>\uc774\ud6c4\uc5d0, \ucd08\uae30 rbx\uac12\uc774 0x0F84BC1F88E8\ub77c\uba74, \ubcf5\ud638\ud654\uac00 \ub05d\ub0ac\uae30\uc5d0 success \uad6c\ubb38\uc73c\ub85c \uc774\ub3d9.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">uint64_t saved_rdx = rdx;\nint key = 0;\n\nwhile(key &lt; 0x5e) {\n        rbx = saved_rdx - key*8;\n        \/\/ printf(\"rbx_a: 0x%lx\\n\", rbx);\n        if(rbx == 0x0F84BC1F88E8)\n            goto success;\n        rbx -= 0x0C200C6D3267C529D;\n        \/\/ printf(\"rbx_b: 0x%lx\\n\", rbx);\n        rbx *= modinv_newton(0x0B216CB3C48C1E693);\n        \/\/ printf(\"rbx_c: 0x%lx\\n\", rbx);\n        rdx = find_matching_rdx_in_mapped_regions(rbx);\n        if(rdx == 0) {\n            key++;\n            continue;\n        }\n        success:\n        \/\/ printf(\"for rdx: 0x%lx\\n\", rdx);\n        saved_rdx = rdx;\n        char ch = (char)key+0x20;\n        \/\/ printf(\"key: %c\\n\", ch);\n        \n        char temp[2];\n        temp[0] = ch;\n        temp[1] = '\\0'; \n        strcat(flag, temp);\n\n        key = 0;\n    }<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">solve.c<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdlib.h>\n#include &lt;fcntl.h>\n#include &lt;unistd.h>\n#include &lt;dirent.h>\n#include &lt;string.h>\n#include &lt;sys\/mman.h>\n#include &lt;errno.h>\n#include &lt;stdint.h>\n\n#define DUMP_DIR \".\/dumped\"\n\nint mmap_rwx_from_dumped() {\n    DIR *dir = opendir(DUMP_DIR);\n    if (!dir) {\n        perror(\"opendir\");\n        return 1;\n    }\n\n    struct dirent *entry;\n    char path[1024];\n\n    while ((entry = readdir(dir)) != NULL) {\n        if (entry->d_type != DT_REG) continue; \/\/ skip non-regular files\n\n        \/\/ \ud30c\uc77c\uba85 \ud30c\uc2f1: 0x\uc8fc\uc18c_\ud06c\uae30.bin\n        uint64_t base_addr = 0;\n        size_t size = 0;\n        if (sscanf(entry->d_name, \"0x%lx_%lu.bin\", &amp;base_addr, &amp;size) != 2) {\n            fprintf(stderr, \"\ud30c\uc77c\uba85 \ud30c\uc2f1 \uc2e4\ud328: %s\\n\", entry->d_name);\n            continue;\n        }\n\n        snprintf(path, sizeof(path), \"%s\/%s\", DUMP_DIR, entry->d_name);\n\n        \/\/ \ud30c\uc77c \uc5f4\uae30\n        int fd = open(path, O_RDONLY);\n        if (fd &lt; 0) {\n            perror(\"open\");\n            continue;\n        }\n\n        \/\/ mmap\n        void *mapped = mmap((void *)base_addr, size, PROT_READ | PROT_WRITE | PROT_EXEC,\n                            MAP_PRIVATE | MAP_FIXED, fd, 0);\n        if (mapped == MAP_FAILED) {\n            fprintf(stderr, \"mmap \uc2e4\ud328: %s - %s\\n\", entry->d_name, strerror(errno));\n            close(fd);\n            continue;\n        }\n\n        \/\/ printf(\"\ub9e4\ud551 \uc131\uacf5: %s -> %p (%lu bytes)\\n\", entry->d_name, mapped, size);\n        close(fd);\n    }\n\n    closedir(dir);\n    return 0;\n}\n\nint readbuf(uint64_t addr, void* output, size_t size) {\n    memcpy((void*)output, addr, size);\n    return 0;\n}\n\nuint64_t read64(uint64_t what) {\n    uint64_t value = 0;\n    readbuf(what, &amp;value, sizeof(value));\n    return value;\n}\n\nuint64_t find_matching_rdx_in_mapped_regions(uint64_t target_xor_result) {\n    uint64_t saved_addr = 0;\n    FILE *maps = fopen(\"\/proc\/self\/maps\", \"r\");\n    if (!maps) {\n        perror(\"fopen \/proc\/self\/maps\");\n        return 1;\n    }\n\n    char line[256];\n    while (fgets(line, sizeof(line), maps)) {\n        unsigned long start, end;\n        char perms[5];\n        \/\/ maps \ud30c\uc77c \ud55c \uc904\uc5d0\uc11c \uc2dc\uc791\uc8fc\uc18c-\ub05d\uc8fc\uc18c \uad8c\ud55c \ubd80\ubd84\ub9cc \ud30c\uc2f1\n        if (sscanf(line, \"%lx-%lx %4s\", &amp;start, &amp;end, perms) != 3)\n            continue;\n\n        \/\/ RWX \uad8c\ud55c\uc744 \uac00\uc9c4 \uad6c\uac04\uc778\uc9c0 \ud655\uc778\n        if (perms[0] != 'r' || perms[1] != 'w' || perms[2] != 'x')\n            continue;\n\n        \/\/ \uad6c\uac04\uc744 8\ubc14\uc774\ud2b8 \ub2e8\uc704\ub85c \uc21c\ud68c\n        for (uint64_t addr = start; addr + 8 &lt;= end; addr += 8) {\n            uint64_t val = read64(addr);\n            \/\/ printf(\"val: 0x%lx\\n\", val);\n            if ((val ^ addr) == target_xor_result) {\n                \/\/ printf(\"\ucc3e\uc74c! rdx = 0x%016lx (read64=0x%016lx)\\n\",\n                    \/\/    addr, val);\n                saved_addr = addr;\n            }\n        }\n        \/\/ printf(\"start: 0x%lx, end: 0x%lx\\n\", start, end);\n    }\n\n    fclose(maps);\n    return saved_addr;\n}\n\n\/\/ 1) \ub274\ud134 \ubc29\ubc95\uc73c\ub85c \ubaa8\ub4c8\ub7ec \uc5ed\uc6d0 \uad6c\ud558\uae30\nuint64_t modinv_newton(uint64_t a) {\n    uint64_t x = 1;  \/\/ a mod 2 = 1 \uc774\ubbc0\ub85c \uc5ed\uc6d0\ub3c4 1\n    for (int i = 0; i &lt; 6; i++) {\n        x = x * (2 - a * x);  \/\/ x_{n+1} = x_n * (2 - a*x_n)\n    }\n    return x;\n}\n\nvoid print_reverse(const char* str) {\n    int len = strlen(str);\n    for (int i = len - 1; i >= 0; i--) {\n        putchar(str[i]);\n    }\n    putchar('\\n');  \/\/ \uc904 \ubc14\uafc8\n}\n\nint main(int argc, char *argv[], char *envp[]) {\n    mmap_rwx_from_dumped();\n    char flag[128];\n    memset(flag, 0, 128);\n\n    uint64_t rbx = 0x7038FC00BE0;\n    rbx -= 0x0C200C6D3267C529D;\n    \/\/ printf(\"rbx2: 0x%lx\\n\", rbx);\n    rbx *= modinv_newton(0x0B216CB3C48C1E693);\n    \/\/ printf(\"rbx: 0x%lx\\n\", rbx);\n    uint64_t rdx = find_matching_rdx_in_mapped_regions(rbx);\n    \/\/ printf(\"rdx: 0x%lx\\n\", rdx);\n\n    uint64_t saved_rdx = rdx;\n    int key = 0;\n\n    while(key &lt; 0x5e) {\n        rbx = saved_rdx - key*8;\n        \/\/ printf(\"rbx_a: 0x%lx\\n\", rbx);\n        if(rbx == 0x0F84BC1F88E8)\n            goto success;\n        rbx -= 0x0C200C6D3267C529D;\n        \/\/ printf(\"rbx_b: 0x%lx\\n\", rbx);\n        rbx *= modinv_newton(0x0B216CB3C48C1E693);\n        \/\/ printf(\"rbx_c: 0x%lx\\n\", rbx);\n        rdx = find_matching_rdx_in_mapped_regions(rbx);\n        if(rdx == 0) {\n            key++;\n            continue;\n        }\n        success:\n        \/\/ printf(\"for rdx: 0x%lx\\n\", rdx);\n        saved_rdx = rdx;\n        char ch = (char)key+0x20;\n        \/\/ printf(\"key: %c\\n\", ch);\n        \n        char temp[2];\n        temp[0] = ch;\n        temp[1] = '\\0'; \n        strcat(flag, temp);\n\n        key = 0;\n    }\n    printf(\"flag: \");\n    print_reverse(flag);\n    printf(\"\\n\");\n\n    return 0;\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Result<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ .\/solve\nflag: lactf{i_l0v3_l1nux_elf_p4rs1ng}<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/technically-correct$ .\/technically_correct lactf{i_l0v3_l1nux_elf_p4rs1ng}\nyes<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>file \/ readelf ELF 32-bit? elf \ud5e4\ub354\uac00 \uae68\uc838\uc788\uc74c. IDA Pro \/ Ghidra\ub85c\ub3c4 \uc5f4\ub9ac\uc9c0 \uc54a\uc74c. strace ptrace \uc548\ud2f0 \ub514\ubc84\uae45\uc774 \ub4e4\uc5b4\uac00\uc788\uc74c. gdb ELF \ud30c\uc77c \ud3ec\ub9f7\uc774 \uc774\uc0c1\ud574\uc11c gdb\ub85c\ub3c4 \uc548\ubd99\uc5ec\uc9d0. gdbserver \ub514\ubc84\uac70 \ubd99\uc774\uae30\uc804\uc5d0 \ubc14\uc774\ub108\ub9ac \ub0b4\uc5d0\uc11c ptrace(PTRACE_TRACEME) \ub97c \ud638\ucd9c\ud558\uae30\uc5d0 \ub514\ubc84\uae45\uc774 \uc548\ubd99\uc5ec\uc9c0\ub294\uac70 \uac19\uc74c. Run \ub180\ub78d\uac8c\ub3c4, ELF \uad6c\uc870 \uaea0\uc838\ub3c4 \uc2e4\ud589\uc740 \ub428. no \ucd9c\ub825. \ub514\ubc84\uae45 \ubc29\ubc95 https:\/\/github.com\/ilammy\/ftrace-hook ftrace-hook \ud504\ub85c\uc81d\ud2b8\ub97c \uc774\uc6a9\ud558\uc5ec ptrace \ucee4\ub110 \ud568\uc218&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3382\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[LACTF2024] technically-correct<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[24],"class_list":["post-3382","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-reversing"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3382"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3382\/revisions"}],"predecessor-version":[{"id":3386,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3382\/revisions\/3386"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}