μ•ˆλ…•ν•˜μŠˆ. μ½”λ“œλͺ½ν‚€μΈ 엄이라고 ν•©λ‹ˆλ‹€. μ΄λ²ˆμ— ν•  κ°•μ˜λŠ” λ¦¬λ²„μ‹±μ˜ μ„Έ 번쨰 꽃 μ—­λž‘μ— λŒ€ν•΄ λ§ν•΄λ΄…λ‹ˆλ‹€. μ—­λž‘μ΄λž€,라이브러리 볡제 ν–‰μœ„λ₯Ό λ§ν•©λ‹ˆλ‹€. ν•΄λ‹Ή κΈ°λŠ₯쀑을 μ†μ‰½κ²Œ μ“°λ €λ©΄ 이전에 softwaredebuging이 ν•„μˆ˜μΈλ°, μ•Œμ•„μ„œ ν•΄λ‹Ή 디버깅 κΈ°λŠ₯을 손에 λ„£μœΌμ‹­μ‹œμ˜€. μ‚¬μš©λ²• μ•Œλ €μ£ΌκΈ°μ—”, μš•ν•˜λŸ¬μ˜€λŠ” μΉ˜ν„°λ‹˜λ“€μ΄ μžˆμ„κ±°λΌ μƒκ°ν•΄μ„œ μ•ˆμ•Œλ € λ“œλ¦¬κ² μŠ΅λ‹ˆλ‹€. 저것도 μ–΄μ°Œλ³΄λ©΄ μ§¬μ΄λΌμ„œ, μ•Œλ €μ£Όλ©΄ μ’€ κ·Έλ ‡κ±°λ“ μš”... κ·Έλƒ₯ 이둠만 λ§ν•΄λ“œλ¦½λ‹ˆλ‹€. ν•˜μ§€λ§Œ, κΈ€ 보고 λ² κ»΄λ¨ΉλŠ” μ‚¬λžŒλ“€λ„ λ§Žμ„κ±°λΌκ³  λ΄…λ‹ˆλ‹€. μ—¬νŠΌ ν•΄λ‹Ή 디버깅 κΈ°λŠ₯을 μ“°λ©΄ λΉ„μΆ”μ–Ό μŠ€νŠœλ””μ˜€μ— 지원을 ν•΄μ£ΌλŠ” λ””λ²„κΉ…μœΌλ‘œλ„ μ ‘κ·Όν•˜κΈ° νž˜λ“  μƒμœ„ ν•¨μˆ˜μ— 접근을 ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ—­λž‘μ„ μ‚¬μš©ν•˜λ©΄ μž₯점이 무엇인가...첫 번쨰둜 ν•΅μŸμ΄λ“€μ˜ μž…μž₯으둜 λ³Έλ‹€λ©΄, 이젠crcλž€κ²Œ λ¬΄μ˜λ―Έν•΄ μ§„λ‹€κ³  말할 짓거리가 κ°€λŠ₯ν•΄μ§‘λ‹ˆλ‹€. μ„œλΈŒ μ‹œμŠ€ν…œμ½œ ν•¨μˆ˜λ₯Ό κ°€κ³΅ν•˜λŠ”κ²ƒλ„ κ°€λŠ₯ν•œλ°, λ©”μΈν•¨μˆ˜λ„ λͺ»λ³΅μ œ ν• κΉŒμš”?γ…‹ 이건, μ œκ°€ λ§Œλ“€λ‹€λ§Œ MD5μ–΄μ…ˆ μ—­λž‘ μ‚¬λ³ΈμΈλ°μš”. [ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat createThread(find2) label(goto1) label(goto2) define(find,00C00A20) Registersymbol(find) define(find2,00C00f20) Registersymbol(find2) label(loop) label(put1) 00BFFDC0: db 2A 00BFFDC0+40: dd 59742A13 00BFFDC0+48: dd 1 00BFFDC0+4C: dd 000A7325 find: repne jne find+5 repne ret push ebp mov ebp,esp sub esp,00 push eax find2: push ebp mov ebp,esp sub esp,00000218 push ebx push esi push edi lea edi,[ebp-00000218] mov ecx,00000086 mov eax,CCCCCCCC repe stosd mov eax,[00BFFDC0+40] xor eax,ebp mov [ebp-04],eax mov ecx,00BFFDC0+48 //1 call put1 mov eax,[ebp+08] push 00BFFDC0 //42 push 00000104 mov eax,[ebp+08] push eax call 00A7C710 //7ffff // mov esi,esp lea eax,[ebp-00000148] push eax mov ecx,[ebp+08] push ecx call dword ptr [MapleStory.exe+710054] mov esi,esp call find mov [ebp-00000154],eax cmp dword ptr [ebp-00000154],-01 jne loop mov esi,esp call dword ptr [kernel32.GetLastError] cmp esi,esp call find jmp fun2 loop: mov eax,[ebp-00000148] and eax,20 je loop2 lea eax,[ebp-0000011C] loop2: mov esi,esp lea eax,[ebp-00000148] push eax mov ecx,[ebp-00000154] push ecx call dword ptr [MapleStory.exe+710054]//filae cmp esi,esp call find test eax,eax jne loop mov esi,esp mov eax,[ebp-00000154] push eax call dword ptr [MapleStory.exe+710050] //close fun2: push edx mov ecx,ebp push eax lea edx,[ConsoleApplication11.exe+11CC4]//1 call fun3 pop eax pop edx pop edi pop esi pop ebx mov ecx,[ebp-04] xor ecx,ebp call ConsoleApplication11.exe+11154 add esp,00000218 cmp ebp,esp call ConsoleApplication11.exe+11253 mov esp,ebp pop ebp ret fun3: push ebp mov ebp,esp push ecx push ebx mov ebx,edx mov [ebp-04],ecx push esi xor esi,esi cmp [ebx],esi jle get push edi xor edi,edi mov ecx,[ebx+04] mov eax,[ebp-04] mov edx,[ecx+edi] cmp [edx+eax-04],CCCCCCCC jne get2 mov eax,[ecx+edi+04] add eax,edx mov edx,[ebp-04] cmp [eax+edx],CCCCCCCC je get3 push [ecx+edi+08] mov eax,[ebp+04] push eax call ConsoleApplication11.exe+11352 get2: add esp,08 get3: inc esi add edi,0C cmp esi,[ebx] jl ConsoleApplication11.exe+12174 pop edi get: pop esi pop ebx mov esp,ebp pop ebp ret 00BFFDC0+58: dd #19 scand: label(scand2) push ebp mov ebp,esp sub esp,00000404 { 1028 } mov eax,[00BFFDC0+58] { (19) } xor eax,ebp mov [ebp-04],eax push ebx mov ebx,[ebp+08] push esi mov esi,[ebp+0C] push edi mov edi,[00BFFDC0+48] { (1) } cmp edi,-01 { 255 } je scand2 cmp byte ptr [esi],00 { 0 } je ConsoleApplication11.exe+12A88 push esi call ConsoleApplication11.exe+12B70 add eax,2D { 45 } add esp,04 { 4 } cmp eax,00000400 { 1024 } ja ConsoleApplication11.exe+12A88 push ConsoleApplication11.exe+17BA4 { ("Stack around the variable '") } lea eax,[ebp-00000404] push 00000400 { 1024 } push eax call ConsoleApplication11.exe+11366 push esi lea eax,[ebp-00000404] push 00000400 { 1024 } push eax call ConsoleApplication11.exe+1134D push ConsoleApplication11.exe+17BC0 { ("' was corrupted.") } lea eax,[ebp-00000404] push 00000400 { 1024 } push eax call ConsoleApplication11.exe+1134D add esp,24 { 36 } lea eax,[ebp-00000404] jmp ConsoleApplication11.exe+12A8D mov eax,ConsoleApplication11.exe+18080 { ("Stack corrupted near unknown variable") } push eax push 02 { 2 } push edi push ebx call ConsoleApplication11.exe+12B90 add esp,10 { 16 } mov ecx,[ebp-04] pop edi pop esi xor ecx,ebp pop ebx call ConsoleApplication11.exe+11154 mov esp,ebp pop ebp ret scand2: mov ecx,[ebp-04] pop edi pop esi xor ecx,ebp pop ebx call ConsoleApplication11.exe+11154 mov esp,ebp pop ebp ret scand3: cmp ecx,[ConsoleApplication11.exe+1A004] { (19) } repne jne scand3+5 repne ret repne jmp scand4 scand4: push ebp mov ebp,esp sub esp,00000324 push 17 call ConsoleApplication11.exe+111D6 //76975135 test eax,eax je scand5 mov ecx,00000002 int 29 scand5: mov [ConsoleApplication11.exe+1A248],eax mov [ConsoleApplication11.exe+1A244],ecx mov [ConsoleApplication11.exe+1A240],edx mov [ConsoleApplication11.exe+1A23C],ebx mov [ConsoleApplication11.exe+1A238],esi mov [ConsoleApplication11.exe+1A234],edi mov [ConsoleApplication11.exe+1A260],ss mov [ConsoleApplication11.exe+1A254],cs mov [ConsoleApplication11.exe+1A230],ds mov [ConsoleApplication11.exe+1A22C],es mov [ConsoleApplication11.exe+1A228],fs mov [ConsoleApplication11.exe+1A224],gs pushfd pop [ConsoleApplication11.exe+1A258] mov eax,[ebp+00] mov [ConsoleApplication11.exe+1A24C],eax mov eax,[ebp+04] mov [ConsoleApplication11.exe+1A250],eax lea eax,[ebp+08] mov [ConsoleApplication11.exe+1A25C],eax mov eax,[ebp-00000324] mov [ConsoleApplication11.exe+1A198],00010001 mov eax,[ConsoleApplication11.exe+1A250] mov [ConsoleApplication11.exe+1A154],eax mov [ConsoleApplication11.exe+1A148],C0000409 mov [ConsoleApplication11.exe+1A14C],00000001 mov [ConsoleApplication11.exe+1A158],00000001 mov ecx,00000004 imul edx,ecx,00 mov [edx+ConsoleApplication11.exe+1A15C],00000002 mov eax,00000004 imul ecx,eax,00 mov edx,[ConsoleApplication11.exe+1A004] mov [ebp+ecx-08],edx mov eax,00000004 shl eax,00 mov ecx,[ConsoleApplication11.exe+1A000] mov [ebp+eax-08],ecx push ConsoleApplication11.exe+18230 call ConsoleApplication11.exe+113C5 mov esp,ebp pop ebp ret [DISABLE] μ΄λŸ°μ‹μœΌλ‘œ κ·Έλƒ₯ ν•¨μˆ˜ν˜ΈμΆœμ„ ν•Ÿκ²Œλœλ‹€λ©΄,sha-256,MD5둜 μ•”ν˜Έν™”λœ ν•¨μˆ˜λ“€λ„ 별닀λ₯Έ 저항없이 iat와,eip,crc우회 κ·Έλ”΄κ±° ν•„μš”μ—†μ΄ κ·Έλƒ₯ 호좜만 λ•Œλ¦¬λ©΄ ν˜ΈμΆœν•΄λ‚Όμˆ˜ μžˆλŠ” ν–‰μœ„κ°€ κ°€λŠ₯ν•œ μ΄μœ κ°€ μ™œ κ°€λŠ₯ν•œμ§€ μ•„μ‹­λ‹ˆκΉŒ? λ°”λ‘œ μž¬κ·€κ΅¬μ‘° λ–„λ¬Έμž…λ‹ˆλ‹€. μ΄λŸ¬ν•œ μž¬κ·€κ΅¬μ‘°μ˜ 취약성을 μ΄μš©ν•˜λŠ”κ²Œ λ°”λ‘œ μ—­λž‘μž…λ‹ˆλ‹€. μ•„,μœ„μ— 올린거 ν•¨μˆ˜ν˜ΈμΆœ MD5에 μ“°μ΄λŠ” μ—­λž‘μ˜ 완성본을 자체적으둜 μ „λΆ€ μ˜¬λ¦¬μ§€ μ•Šμ€ ν˜Ήμ‹œ μ΄μš©ν•΄λ¨Ήμ„μ§€ λͺ¨λ₯΄λ‹ˆ λͺ‡κ΅°λŒ€ λΊ΄λ²„λ Έμ–΄μš”.(저것도 μ–΄μ°Œλ³΄λ©΄ 고유의 기술,μ§¬μ΄λžλ‹ˆλ‹€.) μ €κ±° μ’€ μž˜μ‘μš©ν•˜λ©΄, MD5속도 더 λΉ λ₯΄κ²Œ λ³€ν•΄μ§€κΈ΄ ν•˜λ˜λ°, μ—¬νŠΌ 그런건 μ€‘μš”μΉ˜ μ•Šμ£ ? crc?μ•ˆν‹°λ””λ²„κΉ…? μ •μˆ˜ μŠ€νƒ μ €μž₯? μ†Œμš© μ—†μŠ΅λ‹ˆλ‹€. μ € ν•¨μˆ˜λ“€ κ·Έλƒ₯ λ³΅μ œν•œν›„μ— μ €ν•œν…Œ μ“°κΈ° μ μ ˆν•˜κ²Œ 가곡을 ν•΄μž¬λ‚€ κ±°λΌμ„œ, μ˜λ―Έκ°€ 정말 μ—†κ±°λ“ μš”. κ·Έλž˜μš”. λˆˆμΉ˜μ±„μ…¨κ² μ§€λ§Œ,μ—­λž‘μ΄λž€ 라이브러리 λ³΅μ œμž…λ‹ˆλ‹€. λ³΅μ œν•˜λŠ” 방법은 본인의 κΈ°λŸ‰μ΄μ§€λ§Œ, 디버깅 κΈ°λŠ₯을 μ¨μ„œ ν•΄λ‹Ή μ½”λ“œμ˜ 동적 역할을 μ•Œμ•„λ‚΄κ³  μŠ€νƒ μ €μž₯ λ°˜ν™˜μ„ ν•  λ‹Ήμ‹œ 무수히 λ§Žμ€ goto와,μ‹œμŠ€ν…œ μ½œμ„ ν•  κ°„μ ‘ ν•¨μˆ˜λ“€,μ˜ˆμ™Έμ²˜λ¦¬λ₯Ό 감당해야 ν•  역할을 μ»΄νŒŒμΌλŸ¬κ°€,μš΄μ˜μ²΄μ œκ°€ 감당을 ν•˜μ§ˆ μ•Šκ³ , 코더가 ν•˜λ‚˜λΆ€ν„° μ—΄ κΉŒμ§€ μ²˜λ¦¬ν•˜λŠ” ν–‰μœ„λ₯Ό ν•˜λ©΄μ„œ 간접적인 영ν–₯의 μž¬κ·€κ΅¬μ‘°μ˜ ν•¨μˆ˜λ₯Ό μƒμœ„ μ»€λ„κΉ½νŒν•¨μˆ˜λ‘œ μ—Ώλ°”κΏ”λ¨ΉλŠ” ν–‰μœ„λ₯Ό λ§ν•©λ‹ˆλ‹€. 즉, μ—­λž‘μ˜ μž₯점은, κΆŒν•œμ΄ μ—†μŒμ—λ„ 간접적인 μž¬κ·€κ΅¬μ‘°λ₯Ό μ—­μ΄μš©ν•˜μ—¬, κΆŒν•œκΉ½νŒμΉ λ–„ μ“°μ΄λŠ” ν•¨μˆ˜λ“€μ„ μ‚¬μš©ν•˜κ²Œ λ§Œλ“€λ•Œ μš©μ΄ν•˜κ²Œ μ–΄λŠμ •λ„ μ œν•œμ΄ μžˆμ–΄λ„, 컀널 κΆŒν•œ 깽판치게 λ„μ™€μ€λ‹ˆλ‹€... μ†”μ§νžˆ μ»€λ„κΆŒν•œ 깽판치게 ν•΄μ£ΌλŠ” λͺ‡μ—†λŠ” 기법쀑 ν•˜λ‚˜λΌκ³  λ΄…λ‹ˆλ‹€. μ‹€μ œλ‘œ μ•„λ₯΄ν…ŒμΌμ— μ ‘λͺ©λœ λ³΄μ•ˆλ“€μ€ μ—­λž‘μ˜ 산물이라고 λ³Ό 수 있겠으며, κ°€μƒμ˜ ν•˜λ“œμ›¨μ–΄ λ©”λͺ¨λ¦¬μ—crcκ°€ λŒμ•„κ°€λŠ” μ‹ κΈ°ν•œ ν˜„μƒμ΄ κ°€λŠ₯ν•œ 건 곡으둜 ν•œκ²Œ μ•„λ‹Œ, μ—­λž‘μ΄λΌλŠ” μ‹œμŠ€ν…œμ½œμ˜ ν•¨μˆ˜λ₯Ό 쀑도 메인 ν•¨μˆ˜μ—μ„œ κ°€κ³΅μ„ν•œν›„ μ‹œμŠ€ν…œ ν•¨μˆ˜λ‘œ μ˜¬λ €μ„œ κ°€λŠ₯ν•œ 짓거리라고 λ³Ό 수 μžˆκ² μŠ΅λ‹ˆλ‹€. 즉, λ“œλΌμ΄λ²„ μ„œλͺ…μ˜ μ˜μ—­μ— 간접적인 μž¬κ·€ν•¨μˆ˜λ‘œ 이곳저곳 μ§€λ‚˜λ‹€λ‹ˆλ©°, 연산을 λŒ€μ‹  해달라고 μ‹œμŠ€ν…œμ½œμ„ ν•œ μƒμœ„ ν•¨μˆ˜λ“€ν•œν…Œ μš”μ²­μ„ ν•˜λŠ” 과정을 쀑도에 λ‚΄κ°€ κ°€κ³΅ν•œ,역산식을 μ§‘μ–΄λ„£κ³  μ‹œμŠ€ν…œμ½œμ„ ν•œλ‹€λ©΄,가상머신을 ꡳ이 μ•ˆμ˜¬λ €λ†”λ„ cpu의 κ°€μƒμ˜ μ˜μ—­μ—μ„œ crcλ₯Ό κ΅¬λ™μ‹œν‚¬ 수 있게 λ§Œλ“œλŠ” ν–‰μœ„λŠ” μΌμ’…μ˜ λ“œλΌμ΄λ²„ μ„œλͺ…μ˜ μ˜μ—­μ— κ°€λŠ₯ν•˜λ‹€κ³  μ•Œλ €μ§„κ²ƒκ³Ό 달리, κΈ°κ΅λ‘œλ„ κ°€λŠ₯ν•΄μ§„λ‹€λŠ” λ§μž…λ‹ˆλ‹€. λ³Έμ„œλ²„μ— μ“°μ΄λŠ” IATλΌλŠ” μž¬κ·€κ΅¬μ‘°λ₯Ό μ΄μš©ν•œ ν•΄λ‹Ή κ°€λ‘œμ±„λŠ” 기법도 이쀑 ν•œ μ’…λ₯˜λΌκ³  보아야 ν•©λ‹ˆλ‹€. ν•˜μ§€λ§ŒIAT의 역산을 μˆ˜μ‹­,수백,수천번 더 집어넣은 닀쀑 μ—­μ‚°IATκ°€ μ–΄μ°Œλ³΄λ©΄ μ—­λž‘μ΄λΌ λ³Ό 수 μžˆκ² μ§€μš”... λ‹€λ§Œ, 보톡은 이와같은 ν–‰μœ„λ₯Ό λ‹€λ₯Έ 합법 μ’…μ‚¬μžλ“€μ€ λ‹Ήμ—°ν•˜μ§€λ§Œ,μ•ˆν•˜λ©°, 바보같닀고 ν•©λ‹ˆλ‹€. λ“œλΌμ΄λ²„ 올리면 μ €λŸ°κ±° ν•œνμ— ν•΄κ²°λ˜κ±°λ“ μš”. 그도 그럴게 합법 μ’…μ‚¬μžκ°€ 보면, ꡳ이 μ‰½κ²Œ λ§Œλ“€μ–΄μ§„ ms사에 λ§Œλ“€μ–΄λ‘”,μš΄μ˜μ²΄μ œμ— μ§€μ›ν•΄μ£ΌλŠ” 라이브러리 μ•ˆμ“°κ³ ,라이브러리 λ³΅μ œν•˜λŠ” ν–‰μœ„λ₯Ό λ¬΄μˆ˜νžˆλ§Žμ€ μ‚½μ§ˆμ„ ν†΅ν•˜μ—¬ ν•œλ‹€κ³  ν•˜λ©΄, μ•„λ§ˆ 이유λ₯Ό λ¬Όμ–΄λ³Ό κ²λ‹ˆλ‹€. "κΆŒν•œ 문제 생기면,사xμ½”λ“œλ§ˆλƒ₯ κ·Έλƒ₯ μ»€λ„λ“œλΌμ΄λ²„ μ˜¬λ €μ„œ 깽판 치면 λŒ€μžλ‚­?γ…Žγ…Žγ…Žγ…Ž λ„ˆλŠ” 바보야." 같은 μ‹μœΌλ‘œμš”... 그런데, λ‹˜λ“€μ΄ λ°±μ‹ νšŒμ‚¬μ˜ 직원이 μ•„λ‹ˆλΌλ©΄, μ—­λž‘μ„ 써야지 μ–΄λŠμ •λ„ ν˜Έν™˜μ„±λ¬Έμ œμ— λ₯Ό ν•΄μ†Œν•˜λ©°, 포퍼먼슀 κ΅¬ν˜„μ΄ κ°€λŠ₯ν•œ κΆŒν•œ 깽판이 κ°€λŠ₯ν•΄μ§‘λ‹ˆλ‹€. μ΄λŸ°μ‹μœΌλ‘œ ν•¨μˆ˜μ— μ œν•œμ„ 많이 κ±Έμ–΄λ‘” μ΄μœ λŠ” XPμ„ΈλŒ€λ–„ μ›Œλ‚™μ— 해컀듀이 μ•…μ„±μ½”λ“œλ‘œ κΊ΅νŒμ³μ„œ μ„œλͺ…이 μ•ˆλœ λ“œλΌμ΄λΈŒλ₯Ό win7μ΄ν›„λ‘œλΆ€ν„΄ μ„œλͺ…을 μ•ˆν•œ λ“œλΌμ΄λ²„λŠ” λͺ»μ˜¬λ¦¬κ²Œ λ§‰μ•„λ†”μ„œ κ·Έλ ‡μŠ΅λ‹ˆλ‹€. κ·Έλž˜μ„œ xpμ„ΈλŒ€λ–„κ°€ μ•„λ§ˆ,λ³΄μ•ˆμœΌλ‘œ κ±Έλ ˆμ§λ‚˜κ³  κ·ΈλŸ€λ˜κ±Έκ±°μ—μš”. κ·Έλž˜μ„œ μœ„μ™€κ°™μ€ ν•¨μˆ˜μ˜ μž¬κ·€κ΅¬μ‘°λ₯Ό μ—­μœΌλ‘œ μ—­μ‚°ν•˜μ—¬, 연산식을 λ°”κΎΈλŠ” μ—­λž‘μ΄λΌλŠ” ν–‰μœ„κ°€ λ“œλΌμ΄λ²„λ₯Ό μ•ˆμ˜¬λ ΈμŒμ—λ„ κΆŒν•œμ„ 깽판치기 μ‰¬μš΄ λͺ‡μ—†λŠ” μ§‘λŒ€μ„±μ΄μž,기술의 기ꡐ라고 봐야 ν•©λ‹ˆλ‹€. μ—­λž‘μ˜ μž₯점은 μ•„λž˜μ™€ 같은데, μΌμ’…μ˜ ν•¨μˆ˜μ— 락을걸린 μ œν•œμ„ ν’€ 수 μžˆλ‹€λŠ”κ²Œ 해당과같은 ν–‰μœ„κ°€ 둜우레벨 κ°œλ°œμžλ“€ μ‚¬μ΄μ—μ„œ μ–΄λŠμ •λ„ μ˜μ—­μ— λ‹€λ‹€λ₯΄λ©΄ 무식할 μ •λ„μ˜ 양듀도 μ†Œν™”κ°€ κ°€λŠ₯ν•΄μ§€λŠ”λ°, 그것을 κ·Έλƒ₯ μ‹œμŠ€ν…œμ½œ ν•¨μˆ˜μ—λ‹€κ°€ μ ‘λͺ©ν•˜λŠ” ν–‰μœ„κ°€ λ°”λ‘œ μ—­λž‘μ΄λΌκ³  λ³Ό 수 μžˆκ² μŠ΅λ‹ˆλ‹€. μ—­λž‘μ˜ μž₯점을 λΉ„μœ  ν•΄λ³Έλ‹€λ©΄ μ‹œμŠ€ν…œ 콜 ν•¨μˆ˜λ‘œ λΉ„μœ ν•œκ±΄ μ•„λ‹ˆμ§€λ§Œ, κ°€λ Ή λ§Œμ—ν•˜λ‚˜ %08X을 μ΄μš©ν•΄ λ¬Έμžμ—΄ λ°˜ν™˜ ν•¨μˆ˜λ₯Ό 16μžμ •λ„ λ„˜μ–΄κ°€λ©΄, 기쑴에 μ§€μ›ν•΄μ£ΌλŠ” λΌμ΄λΈŒλŸ¬λ¦¬μ—μ„  μ‹œμŠ€ν…œ μ½œμ„ ν•˜κ²Œλœλ‹€λ©΄, μ˜ˆμ™Έμ²˜λ¦¬λ₯Ό ν•΄μ£Όμ–΄μ„œ νŠ•κΈ°κ²Œ λ§Œλ“€μ–΄μ€λ‹ˆλ‹€. μ•„λž˜λŠ” κ·Έλƒ₯ μ œκ°€ μ—­λž‘μœΌλ‘œ μŠ€λ‹ˆνΌλ§Œλ“€λ•Œ λ§Œλ“€λ‹€λ§Œ μ•„λž˜μ™€κ°™μ€ 슀크립트λ₯Ό κ·Έλƒ₯ μ˜ˆμ‹œ μžλ£Œμ’€ μ˜¬λ €λ³΄κ² μŠ΅λ‹ˆλ‹€. push ebp mov ebp,esp sub esp,000000D8 push ebx push esi push edi lea edi,[ebp-000000D8] mov ecx,00000036 mov eax,CCCCCCCC repe stosd mov ecx,Dll1.dll+2302D call Dll1.dll+114F1 lea eax,[ebp+10] mov [ebp-08],eax mov eax,[ebp-08] push eax mov ecx,[ebp+0C] push ecx push F //<<16자 λ¬Έμžμ—΄μ— μ œν•œμ„ κ±°λŠ” μ‚¬μ΄μ¦ˆ μ œν•œ μΈμžμž…λ‹ˆλ‹€. mov edx,[ebp+08] push edx call Dll1.dll+16B9D add esp,10 pop edi pop esi pop ebx add esp,000000D8 cmp ebp,esp call Dll1.dll+113AC mov esp,ebp pop ebp ret μ΄λŒ€λ‘œ κ°“λ‹€μ“°λ©΄, μ»΄νŒŒμΌλŸ¬κ°€ λ˜‘λ˜‘ν•΄μ„œ μ˜ˆμ™Έμ²˜λ¦¬μ˜ μΌμ’…μœΌλ‘œ 16자의 ꡬ문으둜 ν•΄λ‹Ή λΌμ΄λΈŒλŸ¬λ¦¬μ— 16μžμ΄μƒμ˜ λ¬Έμžμ—΄μ΄ λ“€μ–΄μ˜¬κ²½μš° ν•΄λ‹Ή λ¬Έμžμ—΄μ˜ μ‚¬μ΄μ¦ˆλ₯Ό μ½μ–΄μ˜€κ³ , 16μžκ°€ λ„˜μ–΄κ°€λ©΄ 였λ₯˜λ‘œ μ²˜μ‚°ν•˜λŠ” 인자λ₯Ό 가변성이 μ•„λ‹Œ,κ³ μ • μΈμžμ—΄λ‘œ λΆ„λ₯˜ν•΄μ„œ λ°•μ•„λ„£μ–΄μ£ΌλŠ” ν–‰μœ„λ₯Ό ν•΄μ€λ‹ˆλ‹€. λ§Œμ•½ μš΄μ˜μ²΄μ œμ— μ§€μ›ν•΄μ£ΌλŠ” ν•¨μˆ˜λ“€λ„ κ·Έλ ‡λ‹€λ©΄ 골 떄리겠죠? ν•˜μ§€λ§Œ 인자의 μ œν•œμ˜ ν•¨μˆ˜λ₯Ό λ°”κΎΈλ©΄ ν•΄λ‹Ή μ œν•œμ„ ν’€ 수 있겠죠. λ‹€λ§Œ, μ‹œμŠ€ν…œμ½œμ„ ν•˜λŠ” ν•¨μˆ˜λ“€μ€ μš΄μ˜μ²΄μ œμ— λŒμ•„κ°€μ„œ κ·Έλ”΄κ±° λͺ»ν•˜μž–μ•„μš”? 해도 λ‹˜μ»΄μ—λ§Œ λŒμ•„κ°€μ§€, λ‹€λ₯Έ μ‚¬μš©μž λͺ»λŒμ•„κ°€λ‹ˆ μ‹€μ œλ‘œ μƒμš©ν™”κ°€ νž˜λ“€μ–΄ μ§€κ² μ§€μš”. ν•˜μ§€λ§Œ μ—­λž‘μ„ μ‚¬μš©ν•˜κ²Œ λœλ‹€λ©΄, μ΄λŸ°μ‹μœΌλ‘œ μ‹œμŠ€ν…œμ½œμ— ν•˜λŠ” ν•¨μˆ˜μ˜ λ‚˜μ—΄ν•΄μ£ΌλŠ” 역산식을 바꿔놓고 μ¨μ„œ λ°”κΏ€ 수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λ‘œμΈν•΄ μ‹œμŠ€ν…œ μ½œμ„ ν•˜λŠ” μƒμœ„ ν•¨μˆ˜λ“€μ„ κΆŒν•œμ΄ μ—†μŒμ—λ„ μ ‘κ·Ό κ°€λŠ₯ν•œκ²Œ μ—­λž‘μ˜ μž₯μ μž…λ‹ˆλ‹€. κΉŒλ†“κ³  λ§ν•΄μ„œ 걍 μ»€λ„κΊ΅νŒ μž¬κ·€μ  κ°€λ‘œμ±„μ„œ, 인자 뱉어내라고 ν•¨μˆ˜λ₯Ό κ°€κ³΅ν•˜λŠ” ν–‰μœ„μΈ 터라 κΆŒν•œ γ…ˆλ„μ—†μ–΄λ„ μ»€λ„κΉ½νŒ μΉ˜λŠ”κ²Œ κ°€λŠ₯ν•΄μ§‘λ‹ˆλ‹€. 근데, 아무리 λ…Όλ¬Έ,λ¬Έν—Œμ„ 찾아봐도 μ΄λŸ¬ν•œ ν–‰μœ„μ— κ΄€ν•œ 언어와,μ–΄κ·€λ₯Ό μ°Ύμ•„λ³Όμˆ˜κ°€ μ—†μ—ˆμŠ΅λ‹ˆλ‹€. 보톡 μ €λ”΄μ§“ μ•ˆν•˜κ±°λ“ μš”. μ‹œμŠ€ν…œμ½œμ„ ν•˜λŠ”ν•¨μˆ˜λ“€μ„ λ³Όμˆ˜μžˆλŠ” 디버거가 ν•œμ •μ μ΄λΌ λ§μ΄μ§€μš”. μ—¬νŠΌ μž₯점은 뚫기 μ–΄λ ΅λ‹€λŠ” λŒ€κ°œμ˜ 온라인 κ²Œμž„μ˜ λ³΄μ•ˆμ„ 걸레짝마λƒ₯ λ§Œλ“€ μˆ˜λ„ 있으며, λ†’μ€κΆŒν•œμ„ κ°€μ§„ ν•¨μˆ˜λ₯Ό κ°„μ ‘μ μ΄μ§€λ§Œ μΌλΆ€λΆ„μ μœΌλ‘œ κΆŒν•œκΊ΅νŒμΉ˜λŠ”κ²Œ κ°€λŠ₯ν•΄μ§€λ©°, ν˜Ήμ€ ν•΄λ‹Ή κΈ°λŠ₯을 였히렀 λΆˆν•„μš”ν•œ 뢀뢄을 λ–Όλ²„λ¦ΌμœΌλ‘œμ¨ μš΄μ˜μ²΄μ œμ— MS사가 μ§€μ›ν•΄μ£ΌλŠ” ν•¨μˆ˜λ₯Ό 기쑴보닀 λ”μš± λΉ λ₯Έ 속도λ₯Ό λ‚΄κ²Œ ν•˜λŠ”κ²Œ κ°€λŠ₯ν•΄ μ§‘λ‹ˆλ‹€. μ‹€μ œλ‘œ μ œκ°€λ³΅μ œν•œ sleepdeκ°€ μš΄μ˜μ²΄μ œμ— μ§€μ›ν•΄μ£ΌλŠ” sleepex보닀 훨씬 속도 λΉ λ₯΄λ˜κ±Έμš”? alloc(sleepdefine,188) alloc(sleepdefine2,900) alloc(sleepdefine3,900) Registersymbol(sleepdefine) sleepdefine3: push 38 push KERNELBASE.BemFreeContract+3FE call KERNELBASE.IsNLSDefinedString+473 mov [ebp-48],00000024 mov [ebp-44],00000001 push 07 pop ecx xor eax,eax lea edi,[ebp-40] repe stosd xor edi,edi mov [ebp-1C],edi cmp [ebp+0C],edi je sleepdefine3+39 xor edx,edx lea ecx,[ebp-48] call dword ptr [KERNELBASE.dll+1058] mov [ebp-04],edi push [ebp+08] lea eax,[ebp-24] push eax call KERNELBASE.IsNLSDefinedString+C81 mov esi,eax cmp esi,edi jne sleepdefine3+5B mov [ebp-24],edi mov [ebp-20],80000000 lea esi,[ebp-24] push esi push [ebp+0C] call dword ptr [KERNELBASE.dll+10FC] mov [ebp-1C],eax cmp [ebp+0C],edi je KERNELBASE.SleepEx+74 cmp eax,00000101 je sleepdefine3+5B mov [ebp-04],FFFFFFFE call sleepdefine3+96 mov eax,000000C0 cmp [ebp-1C],eax je sleepdefine3+8C xor eax,eax call KERNELBASE.IsNLSDefinedString+4B8 ret 0008 xor edi,edi cmp [ebp+0C],edi je sleepdefine3+A4 lea ecx,[ebp-48] call dword ptr [KERNELBASE.dll+1050] ret int 3 int 3 int 3 int 3 int 3 sleepdefine2: mov edi,edi push ebp mov ebp,esp push 00 push [ebp+08] call sleepdefine3 pop ebp ret 0004 int 3 int 3 int 3 int 3 int 3 sleepDefine: mov edi,edi push ebp mov ebp,esp pop ebp jmp sleepdefine2............ mv..... 즉 μ—­λž‘μ€ κ·Έλƒ₯ ν•¨μˆ˜ λ³΅μ œμž…λ‹ˆλ‹€. 말 κ·ΈλŒ€λ‘œ κΆŒν•œμ΄ μ—†μŒμ—λ„ 컀널단에 μ“°μ΄λŠ” ν•¨μˆ˜λ“€μ„ λ§ˆμŒλŒ€λ‘œ 볡제 κ°€λŠ₯ν•˜λ©°, μž₯악이 κ°€λŠ₯ν•΄μ§€λŠ” ν–‰μœ„λ₯Ό ν•˜λŠ” κ±Έ μž¬κ·€μ  ꡬ쑰λ₯Ό μ΄μš©ν•œ ν•¨μˆ˜ν˜ΈμΆœμ˜ 취약성을 μ΄μš©ν•œ,기술적 기예라고 보아야 ν•©λ‹ˆλ‹€. 이와같은 κ°„μ ‘ ν•¨μˆ˜μ—λŒ€ν•œ μš”μ²­μœΌλ‘œ μ œν•œμ„ κ±Έμ–΄λ‘” μ‹œμŠ€ν…œ μ½œμ„ λ°”κΏ”μ²˜λ¨ΉλŠ” ν–‰μœ„κ°€ κΆŒν•œμ΄ μ—†μŒμ—λ„ κΊ΅νŒμΉ˜λŠ”κ²Œ κ°€λŠ₯ν•œ μ΄μœ λŠ” ν•¨μˆ˜μ˜ μž¬κ·€κ΅¬μ‘°μ— μžˆμŠ΅λ‹ˆλ‹€. ν•¨μˆ˜λ“€μ€ ν•œ 번 쓰이면,λ‹€λ₯Έ ν•¨μˆ˜μ— μž„ν΄νŠΈν•˜λ©° 인자λ₯Ό μš”μ²­μ— ν•˜λ‹¬ν•΄λ‹¬λΌλŠ” 간접적인 μš”μ²­μ„ ν•©λ‹ˆλ‹€. 그리고 ν•΄λ‹Ή ν•¨μˆ˜λž€,λΉ„μŠ·ν•œ μ˜μ—­μ— 있으면 ν•˜λ‚˜μ˜ ν•¨μˆ˜λ‘œ μ—¬λŸ¬κ°œμ˜ μš”μ²­μ„ ν•  수 μžˆκΈ°μ—, 사싀상 ν•΄λ‹Ή ν•¨μˆ˜λ₯Ό μ“°λ €λ©΄, κ½€λ‚˜ λ§Žμ€ λΌμ΄λΈŒλŸ¬λ¦¬μ™€,κΆŒν•œμ˜ λ¬Έμ œμ— 쩔쩔맀도,μ΄λŸ¬ν•œ μ˜ˆμ™Έμ²˜λ¦¬ κ³Όμ •μ—μ„œ 정보λ₯Ό μ–΄λŠμ •λ„ κ°€κ³΅ν•΄λ‹¬λΌλŠ” μš”μ²­μ„ ν•˜λŠ” λ‹¨μˆœν•œ ν•¨μˆ˜λ₯Ό 역산을 ν†΅ν•˜μ—¬ 더 μƒμœ„ν•¨μˆ˜μ˜ μ‹œμŠ€ν…œμ½œμ˜ ν•¨μˆ˜λ‘œ λ°”κΏ”λ¨ΉλŠ”κ²Œ κ°€λŠ₯ν•΄ μ§‘λ‹ˆλ‹€. 즉 κ°„λ‹¨ν•©λ‹ˆλ‹€. κΆŒν•œμ΄ μ—†μŒμ—λ„, μ»€λ„κΆŒν•œμ„ 간접적인 영ν–₯으둜 μΌλΆ€λΆ„μ΄κΈ°λŠ” ν•˜μ§€λ§Œ λ³€μ‘°, 락을 ν’€λ©΄μ„œ, κΆŒν•œκΉ½νŒ, κ΄΄λ¬Ό κ΅‡μˆ˜,λ¬΄μ‹ν•œ 라이브러리, κΈ°λŠ₯을 μ“Έ 수 있게 κ°€λŠ₯ν•œκ²ƒμ΄ μœ„μ™€κ°™μ€ μ—­λž‘μ΄λΌλŠ” ν–‰μœ„λ₯Ό ν†΅ν•˜μ—¬ κ°€λŠ₯ν•΄μ§‘λ‹ˆλ‹€.