Seccon 2018 Runme Writeup

LeeDoHyun · March 27, 2020

runme.exe라는 파일을 던져줍니다. 이 파일을 ida로 열어보면 함수가 엄청 많이 나오는데 첫번째 함수부터 의심이 됩니다.

.text:00401034 sub_401034      proc near               ; CODE XREF: start+10↑p
.text:00401034
.text:00401034 arg_0           = byte ptr  8
.text:00401034 arg_4           = dword ptr  0Ch
.text:00401034
.text:00401034                 push    ebp
.text:00401035                 mov     ebp, esp
.text:00401037                 push    esi
.text:00401038                 movzx   ecx, [ebp+arg_0]
.text:0040103C                 mov     edx, [ebp+arg_4]
.text:0040103F                 movzx   edx, byte ptr [edx]
.text:00401042                 cmp     ecx, edx
.text:00401044                 jnz     loc_4018BB
.text:0040104A                 mov     ecx, 1
.text:0040104F                 mov     edx, [ebp+arg_4]
.text:00401052                 inc     edx
.text:00401053                 push    edx
.text:00401054                 push    43h
.text:00401056                 call    sub_401060
.text:0040105B                 pop     esi
.text:0040105C                 mov     esp, ebp
.text:0040105E                 pop     ebp
.text:0040105F                 retn

push 43h를 하는데 다음함수에서는 3Ah를 푸쉬합니다. 이것들을 모와 strings으로 변환하면 풀립니다.

solve.py

c = [0x43,0x3a,0x5c,0x54,0x65,0x6d,0x70,0x5c,0x53,0x45,0x43,0x43,0x4f,0x4e,0x32,0x30,0x31,0x38,0x4f,0x6e,0x6c,0x69,0x6e,0x65,0x2e,0x65,0x78,0x65,0x22,0x20,0x53,0x45,0x43,0x43,0x4f,0x4e,0x7b,0x52,0x75,0x6e,0x6e,0x31,0x6e,0x36,0x5f,0x50,0x34,0x37,0x68,0x7d]
d = ""

for i in c:
    d += chr(i)
    print d

엄청 이쁘게 나와서 올려봅니다.

C
C:
C:\
C:\T
C:\Te
C:\Tem
C:\Temp
C:\Temp\
C:\Temp\S
C:\Temp\SE
C:\Temp\SEC
C:\Temp\SECC
C:\Temp\SECCO
C:\Temp\SECCON
C:\Temp\SECCON2
C:\Temp\SECCON20
C:\Temp\SECCON201
C:\Temp\SECCON2018
C:\Temp\SECCON2018O
C:\Temp\SECCON2018On
C:\Temp\SECCON2018Onl
C:\Temp\SECCON2018Onli
C:\Temp\SECCON2018Onlin
C:\Temp\SECCON2018Online
C:\Temp\SECCON2018Online.
C:\Temp\SECCON2018Online.e
C:\Temp\SECCON2018Online.ex
C:\Temp\SECCON2018Online.exe
C:\Temp\SECCON2018Online.exe"
C:\Temp\SECCON2018Online.exe"
C:\Temp\SECCON2018Online.exe" S
C:\Temp\SECCON2018Online.exe" SE
C:\Temp\SECCON2018Online.exe" SEC
C:\Temp\SECCON2018Online.exe" SECC
C:\Temp\SECCON2018Online.exe" SECCO
C:\Temp\SECCON2018Online.exe" SECCON
C:\Temp\SECCON2018Online.exe" SECCON{
C:\Temp\SECCON2018Online.exe" SECCON{R
C:\Temp\SECCON2018Online.exe" SECCON{Ru
C:\Temp\SECCON2018Online.exe" SECCON{Run
C:\Temp\SECCON2018Online.exe" SECCON{Runn
C:\Temp\SECCON2018Online.exe" SECCON{Runn1
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P4
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P47
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P47h
C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P47h}

Twitter, Facebook