Binary Leetness 200 ¹®Á¦¸¦ ½ÇÇà½ÃÅ°¸é ¾î¶² ¾ÏÈ£¸¦ ƯÁ¤ ¿µ¿ª¿¡ ¾´´Ù´Â °ÍÀÌ ÈùÆ®·Î ÁÖ¾îÁø
»óÅÂÀÔ´Ï´Ù. Binary ÆÄÀÏÀ» ½ÇÇàÇÏ¸é ´ÙÀ½°ú °°Àº ¸Þ½ÃÁö¸¦ Ãâ·ÂÇØÁÝ´Ï´Ù.

[root@defcon defcon]# ./bin200
5...4...3...2...1...
The key is ready!

¹®Á¦¸¦ Ǫ´Â ¹æ¹ýÀº ¿©·¯ °¡Áö ¹æ¹ý·ÐÀÌ ÀÖÁö¸¸, ½ÇÇà ½Ã Æ¯Á¤ ¿µ¿ª¿¡ ¾ÏÈ£¸¦ ±â·ÏÇÑ´Ù´Â °ÍÀÌ
ÀÌ¹Ì ÈùÆ®·Î ³ª¿Ô±â ¶§¹®¿¡ ÇÁ·Î¼¼½º »óÅ¿¡¼­ ¸Þ¸ð¸®¸¦ ºñ±³ÇÏ´Â ¹æ¹ýÀ» ÀÌ¿ëÇÏ¸é ½±°Ô ÇØ°áÇÒ
¼ö ÀÖ½À´Ï´Ù.

¿ì¼± key¸¦ ƯÁ¤ ¸Þ¸ð¸® ¿µ¿ª¿¡ ¾²±â Àü¿¡ break point¸¦ °É°í stack ¿µ¿ªÀ» dumpÇغ¸°Ú½À´Ï´Ù.

[root@defcon defcon]# gdb bin200
GNU gdb Red Hat Linux

(gdb) b *0x80483f0
Breakpoint 1 at 0x80483f0
(gdb) r
Starting program:
(gdb) dump memory ./before_write_the_key 0xbfffe000 0xc0000000

±×ÈÄ, key¸¦ ƯÁ¤ ¸Þ¸ð¸® ¿µ¿ª¿¡ ¾²°í ³­ ÈÄ¿Í ºñ±³Çϱâ À§ÇØ 'The key is ready!'¶ó´Â ¸Þ½ÃÁö°¡
³ª¿Â ÈÄ, attach¸¦ ÇÏ¿© ´ÙÀ½°ú °°ÀÌ dump¸¦ ÇÕ´Ï´Ù.

[root@defcon defcon]# ps|grep bin200
 1996 pts/2    00:00:00 bin200

[root@defcon defcon]# gdb -p 1996
(gdb) dump memory ./after_write_the_key 0xbfffe000 0xc0000000


¸ÕÀú ½ºÅÿ¡ ¾²±â Àü¿¡ ´ýÇÁÇÑ ¸Þ¸ð¸® ¿µ¿ªÀ» »ìÆ캸¸é,

[root@defcon defcon]# strings before_write_the_key
Linux
s.com
2.6.8-022stab078.19-smp
#1 SMP Mon Aug 28 15:30:39 MSD 2006
i686
(none)
i686
.... »ý·«

ÀÌÁ¦ ½ºÅÿ¡ ¾²°í ³­ ÈÄ¿¡ ´ýÇÁÇÑ ¸Þ¸ð¸® ¿µ¿ªÀ» º¸°Ú½À´Ï´Ù.

[root@defcon defcon]# strings after_write_the_key
 ehT
 yek
":si
evas
ie d
f ,p
"!wt
!wt- ,p0e d,vas
!wt0
i686
./bin200
.... »ý·« ...


µÚÁý¾îº¸¸é, The key is:"saved ip, ftw!" ¶ó´Â ¸Þ½ÃÁö°¡ ÀÖ´Â °ÍÀ» º¸½Ç ¼ö
ÀÖ½À´Ï´Ù. ÀÌ °ªÀÌ Á¤´äÀÔ´Ï´Ù.

Binary200 key: saved eip, ftw!