Codegate Preliminary Match Repot

Size: px

Start display at page:

Download "Codegate Preliminary Match Repot"

여름 목
4 years ago
Views:

1 Codegate Preliminary Match Repot Historymaker

2 소개글 Code gate 뭐알아서참고.. ㅡㅡ ;;;

3 목차 1 4

4 :19 ================================================================== / Codegate Preliminary Match Repot / / / / CG8347 matrix / ================================================================== level 1. Question url is " All challengers connect this page and try to find the password. Id is "wowhacker". Hint TAG : 톰켓서버, php 확장자로맵핑, hint.jsp TAG 힌트로도혼돈이생길것같아 TAG를하나만사용하겠습니다. "hint.jsp 를공략하라 " h i n t. j s p? h i n e h o n g = < s c r i p t > 풀이. 힌트를따라가면암호화된키와평문을알수있다. Const gckey = "Wowhacker~!" Set xmlhttp = CreateObject("Microsoft.XMLHTTP") xmlhttp.open "GET", " "false" xmlhttp.send() MIGcBgkrBgEEAYI3WAOggY4wgYsGCisGAQQBgjdYAwGgfTB7AgMCAAECAmYCAgIA gaqiztxtltd/iyceeni9/i9uokvsqyvaiizuexceuho0zki14cvnrvf5wfkj7sl8 F8C3ksNOi/FxulOzCQlJKrn46BSN1VY3v1Q/0+hsyKycpFUFKwp+uC+Z4DubOLyq 1Evj8UymVOIAlrHwtHX3 Const gckey에대해검색한결과 Microsoft 에서제공하는각종보안, 암호화관련된기술로 4

5 현재 dll component 형태로제공이되고있다는것을알았고, 관련코드또한쉽게구할수있었다. Visual Basic을사용해간단한코딩한결과 password를알수있었다 폼 Private Sub Form_Load() Text1 = Module1.Decrypt("MIGcBgkrBgEEAYI3WAOggY4wgYsGCisGAQQBgjdYAwGgfTB7AgMCAAECAmYCAgIA gaqiztxtltd/iyceeni9/i9uokvsqyvaiizuexceuho0zki14cvnrvf5wfkj7sl8 F8C3ksNOi/FxulOzCQlJKrn46BSN1VY3v1Q/0+hsyKycpFUFKwp+uC+Z4DubOLyq 1Evj8UymVOIAlrHwtHX3 ") End Sub 모듈 Const gckey = "CryptKey~!" Public Function Encrypt(Message) Dim ed, key key = gckey Set ed = CreateObject("CAPICOM.EncryptedData") ed.content = Message ed.setsecret key Encrypt = ed.encrypt Set ed = Nothing End Function Public Function Decrypt(EncMessage) Dim ed, key key = gckey Set ed = CreateObject("CAPICOM.EncryptedData") ed.setsecret key ed.decrypt EncMessage Decrypt = ed.content Set ed = Nothing End Function 결과 dhkdngozjxlathvmxmvhfjaghdehdcjfgood 존재를잠시잊고아무생각없이 md5에위의값을넣는삽질을 1시간이상하다.--; 결국 wowhacker/dhkdngozjxlathvmxmvhfjaghdehdcjfgood 로로그인성공 The result is WowhackerFighting!!!!!@KoreaFighting&hinehong 다시 result is WowhackerFighting!!!!!@KoreaFighting&hinehong 에의한삽질몇분후 로 md5 생성후인증성공 5

6 md5 : c79a0d c451b82dc99f7fdc094 ============================================================================================ level 2 Hint [ 힌트 1] 레벨2번문제는해당게시판의취약점을이용하여비밀글을열람그비밀글안에내용이담겨져있습니다. 그내용에대한해결을하시는것이문제풀이에대한힌트입니다. 1. 제로보드취약점찾아서비밀글읽으시면됩니다. 2. 해당파일을다운받으시구리턴값을정확히파악하세요. [ 힌트 2] 1. 제로보드공개된취약점입니다. 2. 리버싱과관련없습니다. [ 힌트 3] 1. 제로보드취약점중특정변수 s_que 를이용한 sql injection(union select...) 이있습니다. 디비의멤버테이블을볼수있습니다. _member_info_included를통하여바로비밀글을읽을수있는취약점도발견되었습니다. 2. 다운로드한파일은암호화기법입니다. 반드시프로그램을통하여스트링을주고받으셔야합니다. 리버싱이아닌프로그램간의스트링을주고받습니다. 복호화키는 wowhacker 입니다 풀이. 문제에대해파악하던중 디렉토리리스팅되느것을알았고 ( 매직쿼터옵션이설정되어있다는걸알수이었습니다. \') zb4pl8.gz 파일을받을수있었습니다. 이를통해 zb4pl8 취약점에대해검색하던중 s_que를이용한 injection이가능하다는사실을알게되었습니다. zboard.php? id=freeboard&s_que=10%20union%20select%20no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no - 무작위로대입해서 zetyx_member_table 에 36개의컬럼이있다는걸알았고다시때려맞추기작업에들어갔습니다. zboard.php? id=freeboard&s_que=10%20union%20select%20no,no,no,no,no,no,no,no,no,no,no,no,no,no,user_id,user_id,user_id,leve 6

7 - 그결과 wowhacker와 webmaster의해쉬값을얻었으며 wowhacker의값을 bruteforce해서 good! 이란 passwd를얻었습니다. 로그인후 secret messeage를읽을수있었고, 내용에따라파일을다운받았습니다. 다운받은후프로그램을돌려봤으나서버에접속할수없어서종료되는불상사가발생했습니다. 어쩔수없이달콤한휴식을... ㅎㅎ Activation.exe 하나씩대입한결과 FD 1 GD 2 GF 3 FV 4 DV 5 AF 6 GX 7 AV 8 VV 9 GA a FA b DF c AX d VD e GV f AA g DD h VF i XV j DG k FF l XA m AG n AD o XD p XX q FX r VX s FG t VG u VA 7

8 v XG w DX x DA y GG z XF VDDAXDFFVVADAFFXAFAAVXYD 를만들어내야하며 1글자에 2개씩이니총 12자라는것을알수있었고, 이를통해 8fgkpy8fgkpy VVAADDFFXXGGVVAADDFFXXGG 를기본으로각자리비교대입각자리위치확인 ( 해당좌표 ex) 3-2 :3번째글자의 2번째알파벳 ) / 3-2, , , ,9 2-1, , , ,10-1 5,9 1-2,5 10-2, ,11-2 / 결과해킹은예술이라는사실을알수있었습니다. md5 : 90be449c342716e606e80c7a5b2080b8 ============================================================================================ level 3 Hint 관리자 -3월 23일 1시44분- 레벨3 Notepad.exe는 SVCH0ST.exe와 notepad.exe로구성되어있으며문제 ( 실행파일 ) 를실행시키면두개가같이실행이됩니다. SVCH0ST.exe에인증관련코드가담겨있습니다. ( 관련문자열 :Q`TThnmBmEQqdoBq`Uhnm) -3월 23일 13시10분- 프로세스목록에서 SVCH0ST.exe 에대한루트킷모듈동작중키를입력받아 " 특정루틴 " 을거친후 strcmp로해당문자열과비교합니다문자열이맞을경우입력한키값을 "Success" 문자열과함께보여줍니다. 즉올바른키값을입력하여인증에성공하면입력한키값이답입니다. 8

9 그키값을 MD5 하신후대회홈페이지에서인증을하시면됩니다 풀이. ms에서제공하는 filemon을이용하여 SVCH0ST.exe 파일을찾았습니다. 해당디렉토리 "C:\Documents and Settings\ms\Local Settings\Temp" 해당파일을 Peid를이용해서 "UPX / > Markus & Laszlo" 로패킹되어있다는것을알게되었습니다. PE.Explorer를이용해서 unpacking, un_svch0st.exe 로저장후분석하였습니다. OllyDBG로분석한해당루틴 B0 /$ 81EC A SUB ESP,1A B6. 56 PUSH ESI B7. 57 PUSH EDI B8. B MOV ECX, BD. BE C MOV ESI,un_SVCH C8 ; ASCII "################################################## ############### CodeGate NotePad ############### ################################################## " C2. 8D7C24 08 LEA EDI,DWORD PTR SS:[ESP+8] C6. 33C0 XOR EAX,EAX C8. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> CA. A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] CB. 8BB424 B001000>MOV ESI,DWORD PTR SS:[ESP+1B0] D2. B9 3F MOV ECX,3F D7. 8DBC24 A900000>LEA EDI,DWORD PTR SS:[ESP+A9] DE. C68424 A800000>MOV BYTE PTR SS:[ESP+A8], E6. F3:AB REP STOS DWORD PTR ES:[EDI] E8. 56 PUSH ESI E9. 66:AB STOS WORD PTR ES:[EDI] EB. E CALL un_svch F0. 83C4 04 ADD ESP, F3. 85C0 TEST EAX,EAX F A JNZ SHORT un_svch F7. 8D LEA EAX,DWORD PTR SS:[ESP+8] FB. 56 PUSH ESI ; /<%s> FC. 50 PUSH EAX ; <%s> FD. 8D8C24 B000000>LEA ECX,DWORD PTR SS:[ESP+B0] ; A PUSH un_svch a4 ; Format = "%s Success 9

10 Auth Key : %s" PUSH ECX ; s A. FF15 EC CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfa C4 10 ADD ESP, A 00 PUSH PUSH un_svch ; ASCII "Success!!" A PUSH un_svch ; ASCII "Success!!" F. EB 27 JMP SHORT un_svch > 8D LEA EDX,DWORD PTR SS:[ESP+8] D8424 A800000>LEA EAX,DWORD PTR SS:[ESP+A8] C. 52 PUSH EDX ; /<%s> D PUSH un_svch ; Format = "%s Trial Version " PUSH EAX ; s FF15 EC CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfa C4 0C ADD ESP,0C C. 6A 00 PUSH E PUSH un_svch ; ASCII "Trial Version!!" PUSH un_svch ; ASCII "Trial Version!!" > 8BB424 B801000>MOV ESI,DWORD PTR SS:[ESP+1B8] ; F. 56 PUSH ESI ; howner FF CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA D8C24 A800000>LEA ECX,DWORD PTR SS:[ESP+A8] D. 51 PUSH ECX ; /lparam E. 6A 00 PUSH 0 ; wparam = A 0C PUSH 0C ; Message = WM_SETTEXT PUSH ESI ; hwnd FF15 F CALL DWORD PTR DS:[<&USER32.SendMessageA>; \SendMessageA F POP EDI A. 5E POP ESI B. 81C4 A ADD ESP,1A \. C3 RETN 이중 Success와 Trial Version으로 0x004011F5 에서분기하는것을찾을수있으며 분기전 0x004011EB 에서 CALL un_svch 에의해입력한값이바뀐다는것을추측할수있고 EB. E CALL un_svch F0. 83C4 04 ADD ESP, F3. 85C0 TEST EAX,EAX 10

11 004011F A JNZ SHORT un_svch 다시 0x 을보면 /$ 81EC D SUB ESP,7D PUSH EBP PUSH ESI PUSH EDI B9 F MOV ECX,1F E. 33C0 XOR EAX,EAX D7C24 0D LEA EDI,DWORD PTR SS:[ESP+D] C C 00 MOV BYTE PTR SS:[ESP+C], BB424 E007000>MOV ESI,DWORD PTR SS:[ESP+7E0] F3:AB REP STOS DWORD PTR ES:[EDI] :AB STOS WORD PTR ES:[EDI] PUSH ESI PUSH un_svch ; ASCII "%s " A. AA STOS BYTE PTR ES:[EDI] B. E8 D CALL un_svch BFE MOV EDI,ESI C9 FF OR ECX,FFFFFFFF C0 XOR EAX,EAX C4 08 ADD ESP, A. 33ED XOR EBP,EBP C. F2:AE REPNE SCAS BYTE PTR ES:[EDI] E. F7D1 NOT ECX DEC ECX JE SHORT un_svch a PUSH EBX D5C24 10 LEA EBX,DWORD PTR SS:[ESP+10] BD6 MOV EDX,ESI A. 2BDE SUB EBX,ESI C > 8A02 /MOV AL,BYTE PTR DS:[EDX] E. 3C 61 CMP AL, C 08 JL SHORT un_svch a C 7A CMP AL,7A F 04 JG SHORT un_svch a FEC8 DEC AL 11

12 EB 0A JMP SHORT un_svch A > 3C 41 CMP AL, C. 7C 09 JL SHORT un_svch E. 3C 5A CMP AL,5A F 05 JG SHORT un_svch FEC0 INC AL > MOV BYTE PTR DS:[EBX+EDX],AL > 45 INC EBP BFE MOV EDI,ESI A. 83C9 FF OR ECX,FFFFFFFF D. 33C0 XOR EAX,EAX F. 42 INC EDX F2:AE REPNE SCAS BYTE PTR ES:[EDI] F7D1 NOT ECX DEC ECX BE9 CMP EBP,ECX ^72 D3 \JB SHORT un_svch c B POP EBX A > BF MOV EDI,un_SVCH ; ASCII "Q`TThnmBmEQqdoBq`Uhnm" F. 83C9 FF OR ECX,FFFFFFFF C0 XOR EAX,EAX F2:AE REPNE SCAS BYTE PTR ES:[EDI] F7D1 NOT ECX DEC ECX D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] D. 51 PUSH ECX E. 50 PUSH EAX F PUSH un_svch ; ASCII "Q`TThnmBmEQqdoBq`Uhnm" A4. E8 A CALL un_svch A9. 83C4 0C ADD ESP,0C AC. F7D8 NEG EAX AE. 5F POP EDI AF. 5E POP ESI B0. 1BC0 SBB EAX,EAX B2. 5D POP EBP B3. 81C4 D ADD ESP,7D B9 \. C3 RETN x004013A4 에서 breakpoint를걸고실행, matrix를입력하였을때, 값이바뀐 eax를볼수있습니다. 12

13 EAX 0012E9E4 ASCII "l'sqhw".. ESI 0012F370 "matrix" 이를이용해서 matrix대신모든알파뱃을넣었습니다. EAX 0012E9E4 ASCII "`abcdefghijklmnopqrstuvwxybcdefghijklmnopqrstuvwxyz[".. ESI 0012F370 ASCII "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz" 한자리씩밀렸으면소문자에선 "a" 대신 "`", 대문자에선 "Z" 대신 "[" 임을알수있습니다. 맨위에인증값을보면 "Q`TThnmBmEQqdoBq`Uhnm" 임을확인할수있고이값이나오기위해좀전에구한알파벳으로다시조합할수있습니다. PaSSionAnDPrepAraTion md5 : 19985fa6ebb27e837c27181cd962376f ============================================================================================ level 4 Hint prog 프로그램의복호화방식은따로구현한간단한알고리즘입니다. 다른공개암호알고리즘이아닙니다. char *keys[10] = { "98a4c18682f8dc33678ae321b9f95b4d", "5d6a2274d93ad079bd3a3840cf0e70d0", "44565ca878f878ab967c9f9d3a074163", "401b9b0624cd1b32eab18acab0ce3da3", "0baff11bed a07ce319925bb78", "73f2b9ad f5fc6b1fd505b2e3", "a46c3580f9f27b4a8d91f4ad35ef630b", " fc111c0895ec2158a9ca17e", " fb6ea3dbd0062f688d3e611d", "94d9d3a75d244de239b8f9199f0e4db1" }; 위의키들을이용하여서복호화하는방식의알고리즘입니다. 13

14 입력된암호문의문자와위의키의문자와간단한연산을통해서복호화하는알고리즘입니다. 원본파일은 FedoraCore 8에서컴파일되었습니다. 앞서공개한간단한연산은 + 또는 - 연산입니다. char 범위를넘지않기위해 % 128 연산도이루어집니다. 입력문자열의길이에따라시작키가달라지며, 암호문의한글자당다른키의문자와연산이이루어집니다. 암호문과복호문의길이는대칭입니다. 또한정답은아래와같은예제형식으로하시면됩니다. ex) \xfc\x90\x07\x37... 복호화하는정답이예를들어서 \x41\x41\x41\x41 이라면 hex code \x41의 md5를구하는것이아닌 \x41 이렇게 4바이트통채에대한 md5를구하시면됩니다. 예를들은값이 \x41\x41\x41\x41 이라면 md5(\x41\x41\x41\x41) 이라는것이지요 풀이 [root@matrix /home/matrix/codegate]#./prog > O{RVT [root@matrix /home/matrix/codegate]#./prog > P{RVT [root@matrix /home/matrix/codegate]#./prog > Q{RVT [root@matrix /home/matrix/codegate]#./prog P P > o{rvt [root@matrix /home/matrix/codegate]#./prog G G > f{rvt [root@matrix /home/matrix/codegate]#./prog G G > f{rvt [root@matrix /home/matrix/codegate]#./prog G G > f{rvt [root@matrix /home/matrix/codegate]#./prog G G > f{rvt 위와같이태스트해보다한문자씩맞춰갈수있겠다하는생각이들었습니다. 그래서 14같은제어문자입력을위해 perl을사용다음과같이 fckorea-wowhacker-codegate를맞춰갔습니다. 14

15 ( ascii를입력하다문자열이출력될때까지값을바꿔가며입력... 나온문자열과입력한문자열의오프셋을이용해 fckorea-wowhacker-codegate의해당문자에다시오프셋을적용, 가끔해당문자열을바꿔도출력값이안나오는경우뒤에값을바꿔주면나왔습니다. ) 유도과정 ( 보고서작성을위해이노가다를다시하느라정말힘들었습니다... --; ) "\x14","\x1d","\x28","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(AAAAAAAAAAAAAAAAAAAAAA -> fcko^` \[`^[ "\x14","\x1d","\x28","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(BAAAAAAAAAAAAAAAAAAAAA -> fcko_` \[`^[ "\x14","\x1d","\x28","\x55","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAAAA -> fckor` \[`^[ "\x14","\x1d","\x28","\x55","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UEAAAAAAAAAAAAAAAAAAAA -> fckor` \[`^[ "\x14","\x1d","\x28","\x126","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x ^(6EAAAAAAAAAAAAAAAAAAAA -> c9t`s_ ^\ _\`[^[^`^ "\x14","\x1d","\x28","\x10","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(EAAAAAAAAAAAAAAAAAAAA -> fcko-` \[`^[ "\x14","\x1d","\x28","\x55","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UEAAAAAAAAAAAAAAAAAAAA -> fckor` \[`^[ 15

16 "\x14","\x1d","\x28","\x55","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAAA -> fckor^` \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAAA -> fckore` \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAA -> fckore/ \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x15","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAA -> fckore4 \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBAAAAAAAAAAAAAAAAAAA -> fckorea \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBAAAAAAAAAAAAAAAAAA -> fckoreaz\[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x63","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBcAAAAAAAAAAAAAAAAAA -> fckorea-\[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x63","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBcAAAAAAAAAAAAAAAAA -> fckorea-+[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x63","\x56","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 16

17 G(UBcVAAAAAAAAAAAAAAAAA -> fckorea-q[`^[ "\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAAAA -> fckorea-w[`^[ "\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAAA -> fckorea-w`[`^[ "\x100","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 ^(UBc\0AAAAAAAAAAAAAAAA -> c9t#4$wm\ _\`[^[^`^ "\x99","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAAA -> fckorea-w?`^[ "\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\PAAAAAAAAAAAAAAAA -> fckorea-w [`^[ "\x70","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\pAAAAAAAAAAAAAAAA -> "\x75","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\uAAAAAAAAAAAAAAAA -> fckorea-we[`^[ "\x75","\x1f","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 17

18 G(UBc\uAAAAAAAAAAAAAAA -> fckorea-we9`^[ "\x1f","\x1f","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAA -> fckorea-wo9`^[ "\x1f","\x5d","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAAAA -> fckorea-wow`^[ "\x1f","\x5d","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAAA -> fckorea-wow_`^[ "\x1f","\x5d","\x19","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]PAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x80","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wow`^[ 18

19 "\x1f","\x5d","\x19","\x90","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x100","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]0AAAAAAAAAAAAA -> c9t#4$fz4\m _\`[^[^`^ "\x1f","\x5d","\x19","\x99","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x1","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41" G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x5","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41" G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x40","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x43","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]CAAAAAAAAAAAAA -> fckorea-wowh`^[ 19

20 "\x1f","\x5d","\x19","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x4c","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]LAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAA -> fckorea-wowh/`^[ "\x1f","\x5d","\x19","\x10","\x10","\x10","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAA -> fckorea-wowh/`^[ "\x1f","\x5d","\x19","\x20","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\] -> d<v"b,$fw5 "\x1f","\x5d","\x19","\x50","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]PAAAAAAAAAAA -> fckorea-wowho`^[ 20

21 "\x1f","\x5d","\x19","\x51","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]QAAAAAAAAAAA -> fckorea-wowhp`^[ "\x1f","\x5d","\x19","\x66","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]fAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x50","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]PAAAAAAAAAAA -> fckorea-wowho`^[ "\x1f","\x5d","\x19","\x42","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BAAAAAAAAAAA -> fckorea-wowha`^[ "\x1f","\x5d","\x19","\x42","\x50","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BPAAAAAAAAAAA -> fckorea-wowha`^[ "\x1f","\x5d","\x19","\x42","\x50","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BPAAAAAAAAAA -> fckorea-wowhal]`^[ "\x1f","\x5d","\x19","\x42","\x3d","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]B=AAAAAAAAAA -> fckorea-wowhay]`^[ "\x1f","\x5d","\x19","\x42","\x4c","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BLAAAAAAAAAA -> fckorea-wowhah]`^[ 21

22 "\x1f","\x5d","\x19","\x42","\x47","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAAA -> fckorea-wowhac]`^[ "\x1f","\x5d","\x19","\x42","\x47","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhac]ww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x20","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG -> agt%d /%k)` "\x1f","\x5d","\x19","\x42","\x47","\x11","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhac^ww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x12","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhac_ww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhackww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAA -> fckorea-wowhackww/^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x10","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAA -> fckorea-wowhackww/`^[ 22

23 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x30","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG0AAAAAAA -> fckorea-wowhackww/`^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x30","\x10","\x10","\x20","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG0 -> `<G 5v9'e^=~^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x30","\x10","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG0PAAAAAAA -> fckorea-wowhackww/ ^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x25","\x10","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG%PAAAAAAA -> fckorea-wowhacklw/ ^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x10","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]BGPAAAAAAA -> fckorea-wowhackew/ ^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x20","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG -> fckorea-wowhacke "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x20","\x10","\x50","\x50","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG -> fckorea-wowhacke "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x50","\x10","\x50","\x50","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGPPPAAAAAA -> fckorea-wowhacke/ m[ 23

24 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x51","\x10","\x50","\x50","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]BGQPPAAAAAA -> fckorea-wowhacke/ m[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x51","\x10","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGQPPPAAAAA -> fckorea-wowhacke/ mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x52","\x10","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGRPPPAAAAA -> fckorea-wowhacke/ mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x52","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGRPPPPAAAAA -> fckorea-wowhackeo mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x10","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGPPPPAAAAA -> fckorea-wowhackewo mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x11","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGPPPPAAAAA -> fckorea-wowhackexo mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+PPPPAAAAA -> fckorea-wowhackero mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x51","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+QPPPAAAAA -> fckorea-wowhackerp mj 24

25 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\xe","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG+PPPAAAAA -> fckorea-wowhacker- mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0 G(UBc\]BG+PPPAAAAA -> fckorea-wowhacker- mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x51","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+QPPAAAAA -> fckorea-wowhacker-!mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x52","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RPPAAAAA -> fckorea-wowhacker-"mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+PPAAAAA -> fckorea-wowhacker-cmj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+PPAAAAA -> fckorea-wowhacker-cmj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x51","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+QPAAAAA -> fckorea-wowhacker-cnj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RPAAAAA -> fckorea-wowhacker-coj 25

26 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x51","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RQAAAAA -> fckorea-wowhacker-cok "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x40","\x41","\x41","\x41","\x41","\x4 -> fckorea-wowhacker-coz "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x44","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RDAAAAA -> fckorea-wowhacker-co^ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x47","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RGAAAAA -> fckorea-wowhacker-coa "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x51","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RQAAAAA -> fckorea-wowhacker-cok "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RPAAAAA -> fckorea-wowhacker-coj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAAA -> fckorea-wowhacker-cod "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x50","\x41","\x41","\x41","\x4 G(UBc\]BG+RJPAAAA -> fckorea-wowhacker-cod 26

27 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x10","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAA -> fckorea-wowhacker-cod^ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x11","\x41","\x41","\x41","\x G(UBc\]BG+RJAAAA -> fckorea-wowhacker-cod_ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x16","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAA -> fckorea-wowhacker-codd "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x10","\x41","\x41","\x4 G(UBc\]BG+RJAAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x11","\x41","\x41","\x G(UBc\]BG+RJAAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x50","\x10","\x41","\x4 G(UBc\]BG+RJPAA -> fckorea-wowhacker-codew "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x51","\x10","\x41","\x4 G(UBc\]BG+RJQAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x30","\x10","\x41","\x4 G(UBc\]BG+RJ0AA -> fckorea-wowhacker-codezw 27

28 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x31","\x10","\x41","\x4 G(UBc\]BG+RJ1AA -> fckorea-wowhacker-code{w "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x2a","\x10","\x41","\x G(UBc\]BG+RJ*AA -> fckorea-wowhacker-codetw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x27","\x10","\x41","\x4 G(UBc\]BG+RJ'AA -> fckorea-wowhacker-codeqw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x22","\x10","\x41","\x4 G(UBc\]BG+RJ"AA -> fckorea-wowhacker-codelw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1c","\x10","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codefw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x10","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x20","\x41","\x G(UBc\]BG+RJ -> 27E$ba-xgzde;<xW`o2l "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x21","\x41","\x G(UBc\]BG+RJ!AA -> fckorea-wowhacker-codegh "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x25","\x41","\x G(UBc\]BG+RJ%AA -> fckorea-wowhacker-codegl "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1c","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegc 28

29 "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1d","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegd "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x10","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x17","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codeg^ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x18","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codeg_ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1a","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codega "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1a","\x56","\x G(UBc\]BG+RJVA -> fckorea-wowhacker-codegat[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1a","\x56","\x G(UBc\]BG+RJVK -> fckorea-wowhacker-codegate /home/matrix/codegate]# d c 1f 5d e 1e 2b 0e a 17 1d 1a 56 4b \x47\x14\x1d\x28\x55\x17\x42\x63\x5c\x1f\x5d\x19\x42\x47\x1e\x1e\x2b\x0e\x13\x52\x4a\x17\x1d\x1a key=\x47\x14\x1d\x28\x55\x17\x42\x63\x5c\x1f\x5d\x19\x42\x47\x1e\x1e\x2b\x0e\x13\x52\x4a\x17\x1d md5 : a370f816e2ee8adc9dac978a06c0946e ============================================================================================ 29

30 level 5 CodeGate Level 5 당신은 A 음악포털에가입하여한 MP3 파일을 100,000 원을주고다운로드하였다. 해당파일은 EXE 파일로되어있었으며, 실행을시키면바탕화면에 MP3 파일을생성하는역할을하였다. 당신은 'MP3 파일만복사하는게아니니까, EXE 파일로배포하겠지...' 라고생각했지만큰관심을두지는않았다. 그후당신은바탕화면에생성된 MP3 파일을당신의 MP3 Player에복사하였지만해당파일은 MP3 포멧의 DRM 파일이었다. 해당노래는찌지직거리는잡음만재생될뿐이였다. 당신은화가났다. 100,000 원이나주고결제했는데노래를들을수없다니... 컴퓨터음악을전공한당신은 MP3 파일의첫번째 Frame과두번째 Frame이이상하다는것을알수있었다. Password : 노래의제목 Hint [HINT] private.key의값을이용하여 Mp3의 Data영역을복호화기타질문답변은게시판에서합시다! [HINT2] 데이터영역을복호화해서노래의제목을맞추어야하며, 복호화키는문제에서찾아야합니다. [HINT3] 제작자가만든알고리즘이아닌널리알려져있는알고리즘임 [HINT4 & 방향제시 ] 사용자가구매한 DRM에는원래복호화기능이포함되어있어야합니다. 그래서 Mp3의암호화된데이터영역을복호화해야하는데, 해당루틴이없기때문에 Mp3의 Data영역은암호화된상태로재생되게되어이상한잡음만들리는것입니다. private.key를이용하여복호화한값이새로운키값이될수있겠죠..? [ LAST HINT ] Data 영역 -> BF_cfb64_encrypt() is the CFB mode for Blowfish with 64 bit feedback. It encrypts or decrypts the bytes in in using the key schedule, putting the result in out. enc decides if encryption ( BF_ENCRYPT ) or decryption ( BF_DECRYPT ) shall be performed. ivec must point at an 8 byte long initialization vector. num must point at an integer which must be initially zero 풀이. reshacker를이용해찾은 key -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDdAVtrsR8vxThxerSvxBr7AUKy7VXFoOkIu2IQtilYetHjz1Kr jkx5funmmtuxdgi7as3x13bs7ldncnbimujiuj6e6drowcxlcql62aiqeisx/3wu vt9wq1r7nx9dk1hr5l1mj+omfrdux1rhunqmin4atqfw3ucd5beyl7pjpqidaqab AoGAFVDZMXTe7iuWexN7s+w1Mfp4JWvQtwQDFe2E0tnO+RK3hcJsVdGeHCdKhgI+ /akjbe/jzqqiekv0kiyh/mqoa14zrrkzdd293vjgtod5ebzftwkpe/fhhh1mhh+1 30

31 f6y1tbc/+8t18jmzzwzinjy72j5dkb/jxssimt2oucqhe/0cqqd6gbzryyg5zxok JQMhg6jdi4G0L6W1pmFKYHCKstIp7zt27bxN/DMYcpQ801cvhx70Hdq9WWns9k6J u6+edujtakea4dohzncmrjd4rv9bzr7xroh0n2wuq9jlyqygyzq78un89s4de2kq Yo11i/d7Rog6wN9loljtZMIu+8TwZE9ULwJBAKc4l3EwC9YrLZLACksA/GSHj9mc RN3xZtijb/zmSey8SdGl+SGFzQXw1ouT+Is9g6gpla74VQFdmifPJecjBQkCQHXb B8z6aHlJSTUyQL9PZqqLcDKtCit/ewq8dEp1tH4CRQ1QeGxqN7wl41wpxduVhUtW idvcugalsk05hnrjjsmcqbppeiv7mqalkpvxbwajnzmdy5rv7tfdrzih3owsix22 olr9pk1da+cqwao+cw0wbbmjjcuyh+tnqovblb+i0jo= -----END RSA PRIVATE KEY----- 를이용 what.mp3 중의심이가는 128bite 를복호화하였습니다 /home/matrix/codegate/level5]# perl -e 'print "\x28","\x6c","\x5b","\xcd","\x9c","\x20","\x19","\xad","\xad","\x45","\xbe","\x2f","\xc9","\xbb","\x0f","\xdd cat > text /home/matrix/codegate/level5]# openssl rsautl -decrypt -inkey key.rsa -in text The best security group. /home/matrix/codegate/level5]# 얻은키값으로다시 mp3 data를복호화하기위한소스를작성하였습니다. // header check if( (src_buf[i] == 0xFF && src_buf[i+1] == 0xFB && if( (src_buf[i] == 0xFF && src_buf[i+1] == 0xFB && src_buf[i+2] == 0xB0 && src_buf[i+3] == 0x04 ) (src_buf[i] == 0xFF && src_buf[i+1] == 0xFB && src_buf[i+2] == 0xB2 && src_buf[i+3] == 0x04 ) ) && src_buf[i+3] == 0x04 ) { src_buf[i+2] == 0xB2라면 decryption((unsigned char*)enc_txt,(unsigned char*)plain_text,623); src_buf[i+2] == 0xB0라면 decryption((unsigned char*)enc_txt,(unsigned char*)plain_text,622); } 잠도못잤는데정말삐빅 ~ 삐빅 ~ 삐비빅 ~ 지겹게들었습니다. --; 바이너리파일과 mp3파일첨부할께요. take my eyes off you ===================================================================================== 바로작성해놨어야했는데벼락치기하다결국밤을새고말았습니다. 좋은경험을한거같아기분이좋습니다. 운영진분들고생많이하셨습니다. ^^V 31

::::::::::::::::::::::::::::::::::::::::::::::::::: 레벨별패스워드 ::::::::::::::::::::::::::::::::::::::::::::::::::: [-] Level1 Plain text : WowhackerFight

= 제 1 회 Codegate 해킹대회예선전풀이 = ::::::::::::::::::::::::::::::::::::::::::::::::::: 레벨별패스워드 ::::::::::::::::::::::::::::::::::::::::::::::::::: [-] Level1 Plain text : WowhackerFighting!!!!!@KoreaFighting&hinehong