Codegate Preliminary Match Repot

Codegate Preliminary Match Repot - 2008 Historymaker

소개글 Code gate - 2008 뭐알아서참고.. ㅡㅡ ;;;

목차 1 4

2012.06.15 20:19 ================================================================== / Codegate Preliminary Match Repot / / / / CG8347 matrix / ================================================================== level 1. Question url is "http://222.239.80.207/login.php". All challengers connect this page and try to find the password. Id is "wowhacker". Hint. ----------------------------------------------------------- TAG : 톰켓서버, php 확장자로맵핑, hint.jsp TAG 힌트로도혼돈이생길것같아 TAG를하나만사용하겠습니다. "hint.jsp 를공략하라 " h i n t. j s p? h i n e h o n g = < s c r i p t > ----------------------------------------------------------- 풀이. http://222.239.80.207/hint.jsp?hinehong=<script> 힌트를따라가면암호화된키와평문을알수있다. Const gckey = "Wowhacker~!" Set xmlhttp = CreateObject("Microsoft.XMLHTTP") xmlhttp.open "GET", "http://222.239.80.207/wowhacker_hinehong_wowhacker_good", "false" xmlhttp.send() http://222.239.80.207/wowhacker_hinehong_wowhacker_good MIGcBgkrBgEEAYI3WAOggY4wgYsGCisGAQQBgjdYAwGgfTB7AgMCAAECAmYCAgIA gaqiztxtltd/iyceeni9/i9uokvsqyvaiizuexceuho0zki14cvnrvf5wfkj7sl8 F8C3ksNOi/FxulOzCQlJKrn46BSN1VY3v1Q/0+hsyKycpFUFKwp+uC+Z4DubOLyq 1Evj8UymVOIAlrHwtHX3 Const gckey에대해검색한결과 Microsoft 에서제공하는각종보안, 암호화관련된기술로 4

현재 dll component 형태로제공이되고있다는것을알았고, 관련코드또한쉽게구할수있었다. http://msdn2.microsoft.com/en-us/library/ms995332.aspx Visual Basic을사용해간단한코딩한결과 password를알수있었다. ----------------------------------------------------------------- 폼 Private Sub Form_Load() Text1 = Module1.Decrypt("MIGcBgkrBgEEAYI3WAOggY4wgYsGCisGAQQBgjdYAwGgfTB7AgMCAAECAmYCAgIA gaqiztxtltd/iyceeni9/i9uokvsqyvaiizuexceuho0zki14cvnrvf5wfkj7sl8 F8C3ksNOi/FxulOzCQlJKrn46BSN1VY3v1Q/0+hsyKycpFUFKwp+uC+Z4DubOLyq 1Evj8UymVOIAlrHwtHX3 ") End Sub 모듈 Const gckey = "CryptKey~!" Public Function Encrypt(Message) Dim ed, key key = gckey Set ed = CreateObject("CAPICOM.EncryptedData") ed.content = Message ed.setsecret key Encrypt = ed.encrypt Set ed = Nothing End Function Public Function Decrypt(EncMessage) Dim ed, key key = gckey Set ed = CreateObject("CAPICOM.EncryptedData") ed.setsecret key ed.decrypt EncMessage Decrypt = ed.content Set ed = Nothing End Function ------------------------------------------------------------ 결과 dhkdngozjxlathvmxmvhfjaghdehdcjfgood http://222.239.80.207/login.php 존재를잠시잊고아무생각없이 md5에위의값을넣는삽질을 1시간이상하다.--; 결국 wowhacker/dhkdngozjxlathvmxmvhfjaghdehdcjfgood 로로그인성공 The result is WowhackerFighting!!!!!@KoreaFighting&hinehong 다시 http://codegate.wowhacker.com/md5.php?key=the result is WowhackerFighting!!!!!@KoreaFighting&hinehong 에의한삽질몇분후 http://codegate.wowhacker.com/md5.php?key=wowhackerfighting!!!!!@koreafighting&hinehong 로 md5 생성후인증성공 5

md5 : c79a0d2297411c451b82dc99f7fdc094 ============================================================================================ level 2 http://222.239.80.209/~chmod777/bbs/zboard.php?id=freeboard Hint. ----------------------------------------------------------------- [ 힌트 1] 레벨2번문제는해당게시판의취약점을이용하여비밀글을열람그비밀글안에내용이담겨져있습니다. 그내용에대한해결을하시는것이문제풀이에대한힌트입니다. 1. 제로보드취약점찾아서비밀글읽으시면됩니다. 2. 해당파일을다운받으시구리턴값을정확히파악하세요. [ 힌트 2] 1. 제로보드공개된취약점입니다. 2. 리버싱과관련없습니다. [ 힌트 3] 1. 제로보드취약점중특정변수 s_que 를이용한 sql injection(union select...) 이있습니다. 디비의멤버테이블을볼수있습니다. _member_info_included를통하여바로비밀글을읽을수있는취약점도발견되었습니다. 2. 다운로드한파일은암호화기법입니다. 반드시프로그램을통하여스트링을주고받으셔야합니다. 리버싱이아닌프로그램간의스트링을주고받습니다. 복호화키는 wowhacker 입니다. ----------------------------------------------------------------- 풀이. 문제에대해파악하던중 http://222.239.80.209/~chmod777/ 디렉토리리스팅되느것을알았고 ( 매직쿼터옵션이설정되어있다는걸알수이었습니다. \') zb4pl8.gz 파일을받을수있었습니다. 이를통해 zb4pl8 취약점에대해검색하던중 s_que를이용한 injection이가능하다는사실을알게되었습니다. zboard.php? id=freeboard&s_que=10%20union%20select%20no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no,no - 무작위로대입해서 zetyx_member_table 에 36개의컬럼이있다는걸알았고다시때려맞추기작업에들어갔습니다. zboard.php? id=freeboard&s_que=10%20union%20select%20no,no,no,no,no,no,no,no,no,no,no,no,no,no,user_id,user_id,user_id,leve 6

- 그결과 wowhacker와 webmaster의해쉬값을얻었으며 wowhacker의값을 bruteforce해서 good! 이란 passwd를얻었습니다. 로그인후 secret messeage를읽을수있었고, 내용에따라파일을다운받았습니다. 다운받은후프로그램을돌려봤으나서버에접속할수없어서종료되는불상사가발생했습니다. 어쩔수없이달콤한휴식을... ㅎㅎ Activation.exe 하나씩대입한결과 ------------------------- 0 FD 1 GD 2 GF 3 FV 4 DV 5 AF 6 GX 7 AV 8 VV 9 GA a FA b DF c AX d VD e GV f AA g DD h VF i XV j DG k FF l XA m AG n AD o XD p XX q FX r VX s FG t VG u VA 7

v XG w DX x DA y GG z XF ------------------------- VDDAXDFFVVADAFFXAFAAVXYD 를만들어내야하며 1글자에 2개씩이니총 12자라는것을알수있었고, 이를통해 8fgkpy8fgkpy VVAADDFFXXGGVVAADDFFXXGG 를기본으로각자리비교대입각자리위치확인 ( 해당좌표 ex) 3-2 :3번째글자의 2번째알파벳 ) ------------------------------------------------------------------------------------------- ------ / 3-2,7-2 12-1,3-1 8-2,12-2 4-1,9 2-1,7-1 11-1,4-2 8-1,1-1 6-2,10-1 5,9 1-2,5 10-2,2-2 6-1,11-2 / ------------------------------------------------------------------------------------------- ------ 결과해킹은예술이라는사실을알수있었습니다. http://codegate.wowhacker.com/md5.php?key=ar70fh4cking md5 : 90be449c342716e606e80c7a5b2080b8 ============================================================================================ level 3 http://222.239.80.204/notepad.exe Hint. ---------------------------------------------------------------------- 관리자 -3월 23일 1시44분- 레벨3 Notepad.exe는 SVCH0ST.exe와 notepad.exe로구성되어있으며문제 ( 실행파일 ) 를실행시키면두개가같이실행이됩니다. SVCH0ST.exe에인증관련코드가담겨있습니다. ( 관련문자열 :Q`TThnmBmEQqdoBq`Uhnm) -3월 23일 13시10분- 프로세스목록에서 SVCH0ST.exe 에대한루트킷모듈동작중키를입력받아 " 특정루틴 " 을거친후 strcmp로해당문자열과비교합니다문자열이맞을경우입력한키값을 "Success" 문자열과함께보여줍니다. 즉올바른키값을입력하여인증에성공하면입력한키값이답입니다. 8

그키값을 MD5 하신후대회홈페이지에서인증을하시면됩니다. ---------------------------------------------------------------------- 풀이. ms에서제공하는 filemon을이용하여 SVCH0ST.exe 파일을찾았습니다. 해당디렉토리 "C:\Documents and Settings\ms\Local Settings\Temp" 해당파일을 Peid를이용해서 "UPX 0.89.6-1.02 / 1.05-1.24 -> Markus & Laszlo" 로패킹되어있다는것을알게되었습니다. PE.Explorer를이용해서 unpacking, un_svch0st.exe 로저장후분석하였습니다. OllyDBG로분석한해당루틴 ------------------------------------------------------------------------------------------- 004011B0 /$ 81EC A0010000 SUB ESP,1A0 004011B6. 56 PUSH ESI 004011B7. 57 PUSH EDI 004011B8. B9 27000000 MOV ECX,27 004011BD. BE C8704000 MOV ESI,un_SVCH0.004070C8 ; ASCII "################################################## ############### CodeGate NotePad ############### ################################################## " 004011C2. 8D7C24 08 LEA EDI,DWORD PTR SS:[ESP+8] 004011C6. 33C0 XOR EAX,EAX 004011C8. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 004011CA. A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 004011CB. 8BB424 B001000>MOV ESI,DWORD PTR SS:[ESP+1B0] 004011D2. B9 3F000000 MOV ECX,3F 004011D7. 8DBC24 A900000>LEA EDI,DWORD PTR SS:[ESP+A9] 004011DE. C68424 A800000>MOV BYTE PTR SS:[ESP+A8],0 004011E6. F3:AB REP STOS DWORD PTR ES:[EDI] 004011E8. 56 PUSH ESI 004011E9. 66:AB STOS WORD PTR ES:[EDI] 004011EB. E8 20010000 CALL un_svch0.00401310 004011F0. 83C4 04 ADD ESP,4 004011F3. 85C0 TEST EAX,EAX 004011F5. 75 2A JNZ SHORT un_svch0.00401221 004011F7. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8] 004011FB. 56 PUSH ESI ; /<%s> 004011FC. 50 PUSH EAX ; <%s> 004011FD. 8D8C24 B000000>LEA ECX,DWORD PTR SS:[ESP+B0] ; 00401204. 68 A4704000 PUSH un_svch0.004070a4 ; Format = "%s Success 9

Auth Key : %s" 00401209. 51 PUSH ECX ; s 0040120A. FF15 EC604000 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfa 00401210. 83C4 10 ADD ESP,10 00401213. 6A 00 PUSH 0 00401215. 68 98704000 PUSH un_svch0.00407098 ; ASCII "Success!!" 0040121A. 68 98704000 PUSH un_svch0.00407098 ; ASCII "Success!!" 0040121F. EB 27 JMP SHORT un_svch0.00401248 00401221 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 00401225. 8D8424 A800000>LEA EAX,DWORD PTR SS:[ESP+A8] 0040122C. 52 PUSH EDX ; /<%s> 0040122D. 68 80704000 PUSH un_svch0.00407080 ; Format = "%s Trial Version " 00401232. 50 PUSH EAX ; s 00401233. FF15 EC604000 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfa 00401239. 83C4 0C ADD ESP,0C 0040123C. 6A 00 PUSH 0 0040123E. 68 70704000 PUSH un_svch0.00407070 ; ASCII "Trial Version!!" 00401243. 68 70704000 PUSH un_svch0.00407070 ; ASCII "Trial Version!!" 00401248 > 8BB424 B801000>MOV ESI,DWORD PTR SS:[ESP+1B8] ; 0040124F. 56 PUSH ESI ; howner 00401250. FF15 08614000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA 00401256. 8D8C24 A800000>LEA ECX,DWORD PTR SS:[ESP+A8] 0040125D. 51 PUSH ECX ; /lparam 0040125E. 6A 00 PUSH 0 ; wparam = 0 00401260. 6A 0C PUSH 0C ; Message = WM_SETTEXT 00401262. 56 PUSH ESI ; hwnd 00401263. FF15 F0604000 CALL DWORD PTR DS:[<&USER32.SendMessageA>; \SendMessageA 00401269. 5F POP EDI 0040126A. 5E POP ESI 0040126B. 81C4 A0010000 ADD ESP,1A0 00401271 \. C3 RETN ------------------------------------------------------------------------------------------- 이중 Success와 Trial Version으로 0x004011F5 에서분기하는것을찾을수있으며 분기전 0x004011EB 에서 CALL un_svch0.00401310 에의해입력한값이바뀐다는것을추측할수있고 ------------------------------------------------------ 004011EB. E8 20010000 CALL un_svch0.00401310 004011F0. 83C4 04 ADD ESP,4 004011F3. 85C0 TEST EAX,EAX 10

004011F5. 75 2A JNZ SHORT un_svch0.00401221 ------------------------------------------------------ 다시 0x00401310 을보면 ------------------------------------------------------------------------------------------- 00401310 /$ 81EC D0070000 SUB ESP,7D0 00401316. 55 PUSH EBP 00401317. 56 PUSH ESI 00401318. 57 PUSH EDI 00401319. B9 F3010000 MOV ECX,1F3 0040131E. 33C0 XOR EAX,EAX 00401320. 8D7C24 0D LEA EDI,DWORD PTR SS:[ESP+D] 00401324. C64424 0C 00 MOV BYTE PTR SS:[ESP+C],0 00401329. 8BB424 E007000>MOV ESI,DWORD PTR SS:[ESP+7E0] 00401330. F3:AB REP STOS DWORD PTR ES:[EDI] 00401332. 66:AB STOS WORD PTR ES:[EDI] 00401334. 56 PUSH ESI 00401335. 68 80714000 PUSH un_svch0.00407180 ; ASCII "%s " 0040133A. AA STOS BYTE PTR ES:[EDI] 0040133B. E8 D2030000 CALL un_svch0.00401712 00401340. 8BFE MOV EDI,ESI 00401342. 83C9 FF OR ECX,FFFFFFFF 00401345. 33C0 XOR EAX,EAX 00401347. 83C4 08 ADD ESP,8 0040134A. 33ED XOR EBP,EBP 0040134C. F2:AE REPNE SCAS BYTE PTR ES:[EDI] 0040134E. F7D1 NOT ECX 00401350. 49 DEC ECX 00401351. 74 37 JE SHORT un_svch0.0040138a 00401353. 53 PUSH EBX 00401354. 8D5C24 10 LEA EBX,DWORD PTR SS:[ESP+10] 00401358. 8BD6 MOV EDX,ESI 0040135A. 2BDE SUB EBX,ESI 0040135C > 8A02 /MOV AL,BYTE PTR DS:[EDX] 0040135E. 3C 61 CMP AL,61 00401360. 7C 08 JL SHORT un_svch0.0040136a 00401362. 3C 7A CMP AL,7A 00401364. 7F 04 JG SHORT un_svch0.0040136a 00401366. FEC8 DEC AL 11

00401368. EB 0A JMP SHORT un_svch0.00401374 0040136A > 3C 41 CMP AL,41 0040136C. 7C 09 JL SHORT un_svch0.00401377 0040136E. 3C 5A CMP AL,5A 00401370. 7F 05 JG SHORT un_svch0.00401377 00401372. FEC0 INC AL 00401374 > 880413 MOV BYTE PTR DS:[EBX+EDX],AL 00401377 > 45 INC EBP 00401378. 8BFE MOV EDI,ESI 0040137A. 83C9 FF OR ECX,FFFFFFFF 0040137D. 33C0 XOR EAX,EAX 0040137F. 42 INC EDX 00401380. F2:AE REPNE SCAS BYTE PTR ES:[EDI] 00401382. F7D1 NOT ECX 00401384. 49 DEC ECX 00401385. 3BE9 CMP EBP,ECX 00401387.^72 D3 \JB SHORT un_svch0.0040135c 00401389. 5B POP EBX 0040138A > BF 68714000 MOV EDI,un_SVCH0.00407168 ; ASCII "Q`TThnmBmEQqdoBq`Uhnm" 0040138F. 83C9 FF OR ECX,FFFFFFFF 00401392. 33C0 XOR EAX,EAX 00401394. F2:AE REPNE SCAS BYTE PTR ES:[EDI] 00401396. F7D1 NOT ECX 00401398. 49 DEC ECX 00401399. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] 0040139D. 51 PUSH ECX 0040139E. 50 PUSH EAX 0040139F. 68 68714000 PUSH un_svch0.00407168 ; ASCII "Q`TThnmBmEQqdoBq`Uhnm" 004013A4. E8 A7030000 CALL un_svch0.00401750 004013A9. 83C4 0C ADD ESP,0C 004013AC. F7D8 NEG EAX 004013AE. 5F POP EDI 004013AF. 5E POP ESI 004013B0. 1BC0 SBB EAX,EAX 004013B2. 5D POP EBP 004013B3. 81C4 D0070000 ADD ESP,7D0 004013B9 \. C3 RETN ------------------------------------------------------------------------------------------- 0x004013A4 에서 breakpoint를걸고실행, matrix를입력하였을때, 값이바뀐 eax를볼수있습니다. 12

---------------------------------- EAX 0012E9E4 ASCII "l'sqhw".. ESI 0012F370 "matrix" ---------------------------------- 이를이용해서 matrix대신모든알파뱃을넣었습니다. EAX 0012E9E4 ASCII "`abcdefghijklmnopqrstuvwxybcdefghijklmnopqrstuvwxyz[".. ESI 0012F370 ASCII "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz" 한자리씩밀렸으면소문자에선 "a" 대신 "`", 대문자에선 "Z" 대신 "[" 임을알수있습니다. 맨위에인증값을보면 "Q`TThnmBmEQqdoBq`Uhnm" 임을확인할수있고이값이나오기위해좀전에구한알파벳으로다시조합할수있습니다. PaSSionAnDPrepAraTion http://codegate.wowhacker.com/md5.php?key=passionandpreparation md5 : 19985fa6ebb27e837c27181cd962376f ============================================================================================ level 4 http://222.239.80.204/gtrpower/ Hint. ---------------------------------------------------------------------------- prog 프로그램의복호화방식은따로구현한간단한알고리즘입니다. 다른공개암호알고리즘이아닙니다. char *keys[10] = { "98a4c18682f8dc33678ae321b9f95b4d", "5d6a2274d93ad079bd3a3840cf0e70d0", "44565ca878f878ab967c9f9d3a074163", "401b9b0624cd1b32eab18acab0ce3da3", "0baff11bed4531372a07ce319925bb78", "73f2b9ad80693506f5fc6b1fd505b2e3", "a46c3580f9f27b4a8d91f4ad35ef630b", "516415464fc111c0895ec2158a9ca17e", "41280517fb6ea3dbd0062f688d3e611d", "94d9d3a75d244de239b8f9199f0e4db1" }; 위의키들을이용하여서복호화하는방식의알고리즘입니다. 13

입력된암호문의문자와위의키의문자와간단한연산을통해서복호화하는알고리즘입니다. 원본파일은 FedoraCore 8에서컴파일되었습니다. 앞서공개한간단한연산은 + 또는 - 연산입니다. char 범위를넘지않기위해 % 128 연산도이루어집니다. 입력문자열의길이에따라시작키가달라지며, 암호문의한글자당다른키의문자와연산이이루어집니다. 암호문과복호문의길이는대칭입니다. 또한정답은아래와같은예제형식으로하시면됩니다. ex) \xfc\x90\x07\x37... 복호화하는정답이예를들어서 \x41\x41\x41\x41 이라면 hex code \x41의 md5를구하는것이아닌 \x41 이렇게 4바이트통채에대한 md5를구하시면됩니다. 예를들은값이 \x41\x41\x41\x41 이라면 md5(\x41\x41\x41\x41) 이라는것이지요 ---------------------------------------------------------------------------- 풀이. ------------------------------------------------------------------------------ [root@matrix /home/matrix/codegate]#./prog 02345678901234567890123456 02345678901234567890123456 -> O{RVT [root@matrix /home/matrix/codegate]#./prog 12345678901234567890123456 12345678901234567890123456 -> P{RVT [root@matrix /home/matrix/codegate]#./prog 22345678901234567890123456 22345678901234567890123456 -> Q{RVT [root@matrix /home/matrix/codegate]#./prog P2345678901234567890123456 P2345678901234567890123456 -> o{rvt [root@matrix /home/matrix/codegate]#./prog G2345678901234567890123456 G2345678901234567890123456 -> f{rvt [root@matrix /home/matrix/codegate]#./prog G2345678901234567890123456 G2345678901234567890123456 -> f{rvt [root@matrix /home/matrix/codegate]#./prog G3345678901234567890123456 G3345678901234567890123456 -> f{rvt [root@matrix /home/matrix/codegate]#./prog G3345678901234567890123456 G3345678901234567890123456 -> f{rvt ------------------------------------------------------------------------------ 위와같이태스트해보다한문자씩맞춰갈수있겠다하는생각이들었습니다. 그래서 14같은제어문자입력을위해 perl을사용다음과같이 fckorea-wowhacker-codegate를맞춰갔습니다. 14

( ascii를입력하다문자열이출력될때까지값을바꿔가며입력... 나온문자열과입력한문자열의오프셋을이용해 fckorea-wowhacker-codegate의해당문자에다시오프셋을적용, 가끔해당문자열을바꿔도출력값이안나오는경우뒤에값을바꿔주면나왔습니다. ) 유도과정 ( 보고서작성을위해이노가다를다시하느라정말힘들었습니다... --; ) ------------------------------------------------------------ "\x14","\x1d","\x28","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(AAAAAAAAAAAAAAAAAAAAAA -> fcko^` \[`^[ "\x14","\x1d","\x28","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(BAAAAAAAAAAAAAAAAAAAAA -> fcko_` \[`^[ "\x14","\x1d","\x28","\x55","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAAAA -> fckor` \[`^[ "\x14","\x1d","\x28","\x55","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UEAAAAAAAAAAAAAAAAAAAA -> fckor` \[`^[ "\x14","\x1d","\x28","\x126","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x ^(6EAAAAAAAAAAAAAAAAAAAA -> c9t`s_ ^\ _\`[^[^`^ "\x14","\x1d","\x28","\x10","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(EAAAAAAAAAAAAAAAAAAAA -> fcko-` \[`^[ "\x14","\x1d","\x28","\x55","\x45","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UEAAAAAAAAAAAAAAAAAAAA -> fckor` \[`^[ 15

"\x14","\x1d","\x28","\x55","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAAA -> fckor^` \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAAA -> fckore` \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAA -> fckore/ \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x15","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UAAAAAAAAAAAAAAAAAAA -> fckore4 \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBAAAAAAAAAAAAAAAAAAA -> fckorea \[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBAAAAAAAAAAAAAAAAAA -> fckoreaz\[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x63","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBcAAAAAAAAAAAAAAAAAA -> fckorea-\[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x63","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBcAAAAAAAAAAAAAAAAA -> fckorea-+[`^[ "\x14","\x1d","\x28","\x55","\x17","\x42","\x63","\x56","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 16

G(UBcVAAAAAAAAAAAAAAAAA -> fckorea-q[`^[ "\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAAAA -> fckorea-w[`^[ "\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAAA -> fckorea-w`[`^[ "\x100","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 ^(UBc\0AAAAAAAAAAAAAAAA -> c9t#4$wm\ _\`[^[^`^ "\x99","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAAA -> fckorea-w?`^[ "\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\PAAAAAAAAAAAAAAAA -> fckorea-w [`^[ "\x70","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\pAAAAAAAAAAAAAAAA -> fckorea-w@[`^[ "\x75","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\uAAAAAAAAAAAAAAAA -> fckorea-we[`^[ "\x75","\x1f","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 17

G(UBc\uAAAAAAAAAAAAAAA -> fckorea-we9`^[ "\x1f","\x1f","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\AAAAAAAAAAAAAAA -> fckorea-wo9`^[ "\x1f","\x5d","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAAAA -> fckorea-wow`^[ "\x1f","\x5d","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAAA -> fckorea-wow_`^[ "\x1f","\x5d","\x19","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]PAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x80","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wow`^[ 18

"\x1f","\x5d","\x19","\x90","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x100","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]0AAAAAAAAAAAAA -> c9t#4$fz4\m _\`[^[^`^ "\x1f","\x5d","\x19","\x99","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x1","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41" G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x5","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41" G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x40","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]@AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x43","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]CAAAAAAAAAAAAA -> fckorea-wowh`^[ 19

"\x1f","\x5d","\x19","\x42","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x4c","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]LAAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAA -> fckorea-wowh/`^[ "\x1f","\x5d","\x19","\x10","\x10","\x10","\x41","\x41","\x41 G(UBc\]AAAAAAAAAAA -> fckorea-wowh/`^[ "\x1f","\x5d","\x19","\x20","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\] -> d<v"b,$fw5 "\x1f","\x5d","\x19","\x50","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]PAAAAAAAAAAA -> fckorea-wowho`^[ 20

"\x1f","\x5d","\x19","\x51","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]QAAAAAAAAAAA -> fckorea-wowhp`^[ "\x1f","\x5d","\x19","\x66","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]fAAAAAAAAAAA -> fckorea-wowh`^[ "\x1f","\x5d","\x19","\x50","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]PAAAAAAAAAAA -> fckorea-wowho`^[ "\x1f","\x5d","\x19","\x42","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BAAAAAAAAAAA -> fckorea-wowha`^[ "\x1f","\x5d","\x19","\x42","\x50","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BPAAAAAAAAAAA -> fckorea-wowha`^[ "\x1f","\x5d","\x19","\x42","\x50","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BPAAAAAAAAAA -> fckorea-wowhal]`^[ "\x1f","\x5d","\x19","\x42","\x3d","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]B=AAAAAAAAAA -> fckorea-wowhay]`^[ "\x1f","\x5d","\x19","\x42","\x4c","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BLAAAAAAAAAA -> fckorea-wowhah]`^[ 21

"\x1f","\x5d","\x19","\x42","\x47","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAAA -> fckorea-wowhac]`^[ "\x1f","\x5d","\x19","\x42","\x47","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhac]ww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x20","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG -> agt%d /%k)` "\x1f","\x5d","\x19","\x42","\x47","\x11","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhac^ww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x12","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhac_ww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAAA -> fckorea-wowhackww`^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAAA -> fckorea-wowhackww/^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x10","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGAAAAAAA -> fckorea-wowhackww/`^[ 22

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x30","\x10","\x10","\x10","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG0AAAAAAA -> fckorea-wowhackww/`^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x30","\x10","\x10","\x20","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG0 -> `<G 5v9'e^=~^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x30","\x10","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG0PAAAAAAA -> fckorea-wowhackww/ ^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x25","\x10","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG%PAAAAAAA -> fckorea-wowhacklw/ ^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x10","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]BGPAAAAAAA -> fckorea-wowhackew/ ^[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x20","\x10","\x50","\x41","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG -> fckorea-wowhacke "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x20","\x10","\x50","\x50","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG -> fckorea-wowhacke "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x50","\x10","\x50","\x50","\x41","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGPPPAAAAAA -> fckorea-wowhacke/ m[ 23

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x51","\x10","\x50","\x50","\x41","\x41","\x41","\x41","\x41","\x4 G(UBc\]BGQPPAAAAAA -> fckorea-wowhacke/ m[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x51","\x10","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGQPPPAAAAA -> fckorea-wowhacke/ mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x52","\x10","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGRPPPAAAAA -> fckorea-wowhacke/ mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x52","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGRPPPPAAAAA -> fckorea-wowhackeo mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x10","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGPPPPAAAAA -> fckorea-wowhackewo mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x11","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BGPPPPAAAAA -> fckorea-wowhackexo mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x50","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+PPPPAAAAA -> fckorea-wowhackero mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x51","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+QPPPAAAAA -> fckorea-wowhackerp mj 24

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\xe","\x50","\x50","\x50","\x41","\x41","\x41","\x41","\x41 G(UBc\]BG+PPPAAAAA -> fckorea-wowhacker- mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0 G(UBc\]BG+PPPAAAAA -> fckorea-wowhacker- mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x51","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+QPPAAAAA -> fckorea-wowhacker-!mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x52","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RPPAAAAA -> fckorea-wowhacker-"mj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+PPAAAAA -> fckorea-wowhacker-cmj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x50","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+PPAAAAA -> fckorea-wowhacker-cmj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x51","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+QPAAAAA -> fckorea-wowhacker-cnj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RPAAAAA -> fckorea-wowhacker-coj 25

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x51","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RQAAAAA -> fckorea-wowhacker-cok "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x40","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+R@AAAAA -> fckorea-wowhacker-coz "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x44","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RDAAAAA -> fckorea-wowhacker-co^ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x47","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RGAAAAA -> fckorea-wowhacker-coa "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x51","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RQAAAAA -> fckorea-wowhacker-cok "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x50","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RPAAAAA -> fckorea-wowhacker-coj "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x41","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAAA -> fckorea-wowhacker-cod "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x50","\x41","\x41","\x41","\x4 G(UBc\]BG+RJPAAAA -> fckorea-wowhacker-cod 26

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x10","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAA -> fckorea-wowhacker-cod^ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x11","\x41","\x41","\x41","\x G(UBc\]BG+RJAAAA -> fckorea-wowhacker-cod_ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x16","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAA -> fckorea-wowhacker-codd "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x41","\x41","\x41","\x4 G(UBc\]BG+RJAAAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x10","\x41","\x41","\x4 G(UBc\]BG+RJAAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x11","\x41","\x41","\x G(UBc\]BG+RJAAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x50","\x10","\x41","\x4 G(UBc\]BG+RJPAA -> fckorea-wowhacker-codew "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x51","\x10","\x41","\x4 G(UBc\]BG+RJQAA -> fckorea-wowhacker-code "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x30","\x10","\x41","\x4 G(UBc\]BG+RJ0AA -> fckorea-wowhacker-codezw 27

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x31","\x10","\x41","\x4 G(UBc\]BG+RJ1AA -> fckorea-wowhacker-code{w "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x2a","\x10","\x41","\x G(UBc\]BG+RJ*AA -> fckorea-wowhacker-codetw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x27","\x10","\x41","\x4 G(UBc\]BG+RJ'AA -> fckorea-wowhacker-codeqw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x22","\x10","\x41","\x4 G(UBc\]BG+RJ"AA -> fckorea-wowhacker-codelw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1c","\x10","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codefw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x10","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x20","\x41","\x G(UBc\]BG+RJ -> 27E$ba-xgzde;<xW`o2l "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x21","\x41","\x G(UBc\]BG+RJ!AA -> fckorea-wowhacker-codegh "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x25","\x41","\x G(UBc\]BG+RJ%AA -> fckorea-wowhacker-codegl "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1c","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegc 28

"\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1d","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegd "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x10","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codegw "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x17","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codeg^ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x18","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codeg_ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1a","\x41","\x G(UBc\]BG+RJAA -> fckorea-wowhacker-codega "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1a","\x56","\x G(UBc\]BG+RJVA -> fckorea-wowhacker-codegat[ "\x1f","\x5d","\x19","\x42","\x47","\x1e","\x1e","\x2b","\x0e","\x13","\x52","\x4a","\x17","\x1d","\x1a","\x56","\x G(UBc\]BG+RJVK -> fckorea-wowhacker-codegate [root@matrix /home/matrix/codegate]# ------------------------------------------------------------------------------------------- ------- 47 14 1d 28 55 17 42 63 5c 1f 5d 19 42 47 1e 1e 2b 0e 13 52 4a 17 1d 1a 56 4b \x47\x14\x1d\x28\x55\x17\x42\x63\x5c\x1f\x5d\x19\x42\x47\x1e\x1e\x2b\x0e\x13\x52\x4a\x17\x1d\x1a http://codegate.wowhacker.com/md5.php? key=\x47\x14\x1d\x28\x55\x17\x42\x63\x5c\x1f\x5d\x19\x42\x47\x1e\x1e\x2b\x0e\x13\x52\x4a\x17\x1d md5 : a370f816e2ee8adc9dac978a06c0946e ============================================================================================ 29

level 5 http://222.239.80.205/g37r007x9dk1hr/ CodeGate Level 5 당신은 A 음악포털에가입하여한 MP3 파일을 100,000 원을주고다운로드하였다. 해당파일은 EXE 파일로되어있었으며, 실행을시키면바탕화면에 MP3 파일을생성하는역할을하였다. 당신은 'MP3 파일만복사하는게아니니까, EXE 파일로배포하겠지...' 라고생각했지만큰관심을두지는않았다. 그후당신은바탕화면에생성된 MP3 파일을당신의 MP3 Player에복사하였지만해당파일은 MP3 포멧의 DRM 파일이었다. 해당노래는찌지직거리는잡음만재생될뿐이였다. 당신은화가났다. 100,000 원이나주고결제했는데노래를들을수없다니... 컴퓨터음악을전공한당신은 MP3 파일의첫번째 Frame과두번째 Frame이이상하다는것을알수있었다. Password : 노래의제목 Hint. ---------------------------------------------------------------------------- [HINT] private.key의값을이용하여 Mp3의 Data영역을복호화기타질문답변은게시판에서합시다! [HINT2] 데이터영역을복호화해서노래의제목을맞추어야하며, 복호화키는문제에서찾아야합니다. [HINT3] 제작자가만든알고리즘이아닌널리알려져있는알고리즘임 [HINT4 & 방향제시 ] 사용자가구매한 DRM에는원래복호화기능이포함되어있어야합니다. 그래서 Mp3의암호화된데이터영역을복호화해야하는데, 해당루틴이없기때문에 Mp3의 Data영역은암호화된상태로재생되게되어이상한잡음만들리는것입니다. private.key를이용하여복호화한값이새로운키값이될수있겠죠..? [ LAST HINT ] Data 영역 -> BF_cfb64_encrypt() is the CFB mode for Blowfish with 64 bit feedback. It encrypts or decrypts the bytes in in using the key schedule, putting the result in out. enc decides if encryption ( BF_ENCRYPT ) or decryption ( BF_DECRYPT ) shall be performed. ivec must point at an 8 byte long initialization vector. num must point at an integer which must be initially zero. ---------------------------------------------------------------------------- 풀이. reshacker를이용해찾은 key -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDdAVtrsR8vxThxerSvxBr7AUKy7VXFoOkIu2IQtilYetHjz1Kr jkx5funmmtuxdgi7as3x13bs7ldncnbimujiuj6e6drowcxlcql62aiqeisx/3wu vt9wq1r7nx9dk1hr5l1mj+omfrdux1rhunqmin4atqfw3ucd5beyl7pjpqidaqab AoGAFVDZMXTe7iuWexN7s+w1Mfp4JWvQtwQDFe2E0tnO+RK3hcJsVdGeHCdKhgI+ /akjbe/jzqqiekv0kiyh/mqoa14zrrkzdd293vjgtod5ebzftwkpe/fhhh1mhh+1 30

f6y1tbc/+8t18jmzzwzinjy72j5dkb/jxssimt2oucqhe/0cqqd6gbzryyg5zxok JQMhg6jdi4G0L6W1pmFKYHCKstIp7zt27bxN/DMYcpQ801cvhx70Hdq9WWns9k6J u6+edujtakea4dohzncmrjd4rv9bzr7xroh0n2wuq9jlyqygyzq78un89s4de2kq Yo11i/d7Rog6wN9loljtZMIu+8TwZE9ULwJBAKc4l3EwC9YrLZLACksA/GSHj9mc RN3xZtijb/zmSey8SdGl+SGFzQXw1ouT+Is9g6gpla74VQFdmifPJecjBQkCQHXb B8z6aHlJSTUyQL9PZqqLcDKtCit/ewq8dEp1tH4CRQ1QeGxqN7wl41wpxduVhUtW idvcugalsk05hnrjjsmcqbppeiv7mqalkpvxbwajnzmdy5rv7tfdrzih3owsix22 olr9pk1da+cqwao+cw0wbbmjjcuyh+tnqovblb+i0jo= -----END RSA PRIVATE KEY----- 를이용 what.mp3 중의심이가는 128bite 를복호화하였습니다. ------------------------------------------- [root@matrix /home/matrix/codegate/level5]# perl -e 'print "\x28","\x6c","\x5b","\xcd","\x9c","\x20","\x19","\xad","\xad","\x45","\xbe","\x2f","\xc9","\xbb","\x0f","\xdd cat > text ------------------------------------------- [root@matrix /home/matrix/codegate/level5]# openssl rsautl -decrypt -inkey key.rsa -in text The best security group. WoWHacker[root@matrix /home/matrix/codegate/level5]# 얻은키값으로다시 mp3 data를복호화하기위한소스를작성하였습니다. // header check if( (src_buf[i] == 0xFF && src_buf[i+1] == 0xFB && if( (src_buf[i] == 0xFF && src_buf[i+1] == 0xFB && src_buf[i+2] == 0xB0 && src_buf[i+3] == 0x04 ) (src_buf[i] == 0xFF && src_buf[i+1] == 0xFB && src_buf[i+2] == 0xB2 && src_buf[i+3] == 0x04 ) ) && src_buf[i+3] == 0x04 ) { src_buf[i+2] == 0xB2라면 decryption((unsigned char*)enc_txt,(unsigned char*)plain_text,623); src_buf[i+2] == 0xB0라면 decryption((unsigned char*)enc_txt,(unsigned char*)plain_text,622); } 잠도못잤는데정말삐빅 ~ 삐빅 ~ 삐비빅 ~ 지겹게들었습니다. --; 바이너리파일과 mp3파일첨부할께요. http://codegate.wowhacker.com/md5.php?key=can't take my eyes off you ===================================================================================== 바로작성해놨어야했는데벼락치기하다결국밤을새고말았습니다. 좋은경험을한거같아기분이좋습니다. 운영진분들고생많이하셨습니다. ^^V 31

Codegate Preliminary Match Repot - 2008 블로그 저자 History maker Historymaker http://blog.daum.net/hch73111 발행일 2012.06.15 20:26:26 저작권법에의해한국내에서보호를받는저작물이므로무단복제와전재를금합니다.