Ghidra 분석 (정적 분석)
1. 프로그램의 시작점: Entry Point
2. FUN_1400013e8 (환경 설정 및 데이터 보존)
※ 함수 분석 상세 ->
더보기
*************************************************************
* FUNCTION
*************************************************************
ulonglong __fastcall FUN_1400013e8 (void )
assume GS_OFFSET = 0xff00000000
ulonglong RAX:8 <RETURN>
undefined8 Stack[0x10]:8 local_res10 XREF[2]: 1400013ed (W) ,
140001534 (R)
undefined8 Stack[0x8]:8 local_res8 XREF[2]: 1400013e8 (W) ,
14000152f (R)
undefined1 Stack[-0x18]:1 local_18 XREF[2]: 14000140c (W) ,
140001478 (W)
FUN_1400013e8 XREF[2]: entry:140001571 (c) ,
140004090 (*)
1400013e8 48 89 5c MOV qword ptr [RSP + local_res8 ],RBX
24 08
1400013ed 48 89 74 MOV qword ptr [RSP + local_res10 ],RSI
24 10
1400013f2 57 PUSH RDI
1400013f3 48 83 ec 30 SUB RSP ,0x30
1400013f7 b9 01 00 MOV ECX ,0x1
00 00
1400013fc e8 2f 03 CALL __scrt_initialize_crt undefined8 __scrt_initialize_crt
00 00
140001401 84 c0 TEST AL,AL
140001403 0f 84 36 JZ LAB_14000153f
01 00 00
140001409 40 32 f6 XOR SIL ,SIL
14000140c 40 88 74 MOV byte ptr [RSP + local_18 ],SIL
24 20
140001411 e8 de 02 CALL __scrt_acquire_startup_lock undefined8 __scrt_acquire_startu
00 00
140001416 8a d8 MOV BL,AL
140001418 8b 0d a2 MOV ECX ,dword ptr [DAT_1400035c0 ]
21 00 00
14000141e 83 f9 01 CMP ECX ,0x1
140001421 0f 84 23 JZ LAB_14000154a
01 00 00
140001427 85 c9 TEST ECX ,ECX
140001429 75 4a JNZ LAB_140001475
14000142b c7 05 8b MOV dword ptr [DAT_1400035c0 ],0x1
21 00 00
01 00 00 00
140001435 48 8d 15 LEA RDX ,[DAT_1400021f8 ]
bc 0d 00 00
14000143c 48 8d 0d LEA RCX ,[DAT_1400021e0 ]
9d 0d 00 00
140001443 e8 a0 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::_initterm_e undefined _initterm_e()
00 00
140001448 85 c0 TEST EAX ,EAX
14000144a 74 0a JZ LAB_140001456
14000144c b8 ff 00 MOV EAX ,0xff
00 00
140001451 e9 d9 00 JMP LAB_14000152f
00 00
LAB_140001456 XREF[1]: 14000144a (j)
140001456 48 8d 15 LEA RDX ,[DAT_1400021d8 ]
7b 0d 00 00
14000145d 48 8d 0d LEA RCX ,[DAT_1400021c8 ]
64 0d 00 00
140001464 e8 79 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::_initterm undefined _initterm()
00 00
140001469 c7 05 4d MOV dword ptr [DAT_1400035c0 ],0x2
21 00 00
02 00 00 00
140001473 eb 08 JMP LAB_14000147d
LAB_140001475 XREF[1]: 140001429 (j)
140001475 40 b6 01 MOV SIL ,0x1
140001478 40 88 74 MOV byte ptr [RSP + local_18 ],SIL
24 20
LAB_14000147d XREF[1]: 140001473 (j)
14000147d 8a cb MOV CL,BL
14000147f e8 1c 04 CALL __scrt_release_startup_lock undefined __scrt_release_startup
00 00
140001484 e8 bb 05 CALL FUN_140001a44 undefined * FUN_140001a44(void)
00 00
140001489 48 8b d8 MOV RBX ,RAX
14000148c 48 83 38 00 CMP qword ptr [RAX ],0x0
140001490 74 1e JZ LAB_1400014b0
140001492 48 8b c8 MOV RCX ,RAX
140001495 e8 6e 03 CALL __scrt_is_nonwritable_in_current_image ulonglong __scrt_is_nonwritable_
00 00
14000149a 84 c0 TEST AL,AL
14000149c 74 12 JZ LAB_1400014b0
14000149e 45 33 c0 XOR R8D ,R8D
1400014a1 41 8d 50 02 LEA EDX ,[R8 + 0x2 ]
1400014a5 33 c9 XOR ECX ,ECX
1400014a7 48 8b 03 MOV RAX ,qword ptr [RBX ]
1400014aa ff 15 10 CALL qword ptr [->_guard_dispatch_icall ] undefined _guard_dispatch_icall(
0d 00 00 = 140001f60
LAB_1400014b0 XREF[2]: 140001490 (j) , 14000149c (j)
1400014b0 e8 97 05 CALL FUN_140001a4c undefined * FUN_140001a4c(void)
00 00
1400014b5 48 8b d8 MOV RBX ,RAX
1400014b8 48 83 38 00 CMP qword ptr [RAX ],0x0
1400014bc 74 14 JZ LAB_1400014d2
1400014be 48 8b c8 MOV RCX ,RAX
1400014c1 e8 42 03 CALL __scrt_is_nonwritable_in_current_image ulonglong __scrt_is_nonwritable_
00 00
1400014c6 84 c0 TEST AL,AL
1400014c8 74 08 JZ LAB_1400014d2
1400014ca 48 8b 0b MOV RCX ,qword ptr [RBX ]
1400014cd e8 46 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::_register_t undefined _register_thread_local
00 00
LAB_1400014d2 XREF[2]: 1400014bc (j) , 1400014c8 (j)
1400014d2 e8 05 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::_get_initia undefined _get_initial_narrow_en
00 00
1400014d7 48 8b f8 MOV RDI ,RAX
1400014da e8 27 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::__p___argv undefined __p___argv()
00 00
1400014df 48 8b 18 MOV RBX ,qword ptr [RAX ]
1400014e2 e8 19 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::__p___argc undefined __p___argc()
00 00
1400014e7 4c 8b c7 MOV R8,RDI
1400014ea 48 8b d3 MOV RDX ,RBX
1400014ed 8b 08 MOV ECX ,dword ptr [RAX ]
1400014ef e8 0c fc CALL FUN_140001100 undefined8 FUN_140001100(undefin
ff ff
1400014f4 8b d8 MOV EBX ,EAX
1400014f6 e8 b5 06 CALL __scrt_is_managed_app ulonglong __scrt_is_managed_app(
00 00
1400014fb 84 c0 TEST AL,AL
1400014fd 74 55 JZ LAB_140001554
1400014ff 40 84 f6 TEST SIL ,SIL
140001502 75 05 JNZ LAB_140001509
140001504 e8 03 0a CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::_cexit void _cexit(void)
00 00
LAB_140001509 XREF[1]: 140001502 (j)
140001509 33 d2 XOR EDX ,EDX
14000150b b1 01 MOV CL,0x1
14000150d e8 b2 03 CALL __scrt_uninitialize_crt undefined1 __scrt_uninitialize_c
00 00
140001512 8b c3 MOV EAX ,EBX
140001514 eb 19 JMP LAB_14000152f
140001516 8b ?? 8Bh
140001517 d8 ?? D8h
140001518 e8 ?? E8h
140001519 93 ?? 93h
14000151a 06 ?? 06h
14000151b 00 ?? 00h
14000151c 00 ?? 00h
14000151d 84 ?? 84h
14000151e c0 ?? C0h
14000151f 74 ?? 74h t
140001520 3b ?? 3Bh ;
140001521 80 ?? 80h
140001522 7c ?? 7Ch |
140001523 24 ?? 24h $
140001524 20 ?? 20h
140001525 00 ?? 00h
140001526 75 ?? 75h u
140001527 05 ?? 05h
140001528 e8 ?? E8h
140001529 e5 ?? E5h
14000152a 09 ?? 09h
14000152b 00 ?? 00h
14000152c 00 ?? 00h
14000152d 8b ?? 8Bh
14000152e c3 ?? C3h
LAB_14000152f XREF[2]: 140001451 (j) , 140001514 (j)
14000152f 48 8b 5c MOV RBX ,qword ptr [RSP + local_res8 ]
24 40
140001534 48 8b 74 MOV RSI ,qword ptr [RSP + local_res10 ]
24 48
140001539 48 83 c4 30 ADD RSP ,0x30
14000153d 5f POP RDI
14000153e c3 RET
LAB_14000153f XREF[1]: 140001403 (j)
14000153f b9 07 00 MOV ECX ,0x7
00 00
140001544 e8 13 05 CALL __scrt_fastfail undefined __scrt_fastfail(undefi
00 00
140001549 90 NOP
LAB_14000154a XREF[1]: 140001421 (j)
14000154a b9 07 00 MOV ECX ,0x7
00 00
14000154f e8 08 05 CALL __scrt_fastfail undefined __scrt_fastfail(undefi
00 00
LAB_140001554 XREF[1]: 1400014fd (j)
140001554 8b cb MOV ECX ,EBX
140001556 e8 93 09 CALL API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL::exit void exit(int _Code)
00 00
-- Flow Override: CALL_RETURN (CALL_TERMINATOR)
assume GS_OFFSET = <UNKNOWN>
14000155b 90 ?? 90h
14000155c 8b ?? 8Bh
14000155d cb ?? CBh
assume GS_OFFSET = 0xff00000000
14000155e e8 ?? E8h
assume GS_OFFSET = <UNKNOWN>
14000155f 91 ?? 91h
140001560 09 ?? 09h
140001561 00 ?? 00h
140001562 00 ?? 00h
140001563 90 ?? 90h3. main 함수(FUN_140001100) 식별 방법
4. main 함수 내부 로직 분석
※ FUN_140001100 상세 코드 ->
더보기
*************************************************************
* FUNCTION
*************************************************************
undefined8 __fastcall FUN_140001100 (undefined8 param_1 ,
assume GS_OFFSET = 0xff00000000
undefined8 RAX:8 <RETURN>
undefined8 RCX:8 param_1
undefined8 RDX:8 param_2
undefined8 R8:8 param_3
undefined8 R9:8 param_4
undefined8 Stack[-0x18]:8 local_18 XREF[2]: 140001113 (W) ,
140001175 (R)
undefined Stack[-0x118 local_118 XREF[3]: 14000111b (*) ,
140001138 (*) ,
140001149 (*)
FUN_140001100 XREF[2]: FUN_1400013e8:1400014ef (c) ,
140004024 (*)
140001100 40 57 PUSH RDI
140001102 48 81 ec SUB RSP ,0x130
30 01 00 00
140001109 48 8b 05 MOV RAX ,qword ptr [DAT_140003008 ] = 00002B992DDFA232h
f8 1e 00 00
140001110 48 33 c4 XOR RAX ,RSP
140001113 48 89 84 MOV qword ptr [RSP + local_18 ],RAX
24 20 01
00 00
14000111b 48 8d 44 LEA RAX =>local_118 ,[RSP + 0x20 ]
24 20
140001120 48 8b f8 MOV RDI ,RAX
140001123 33 c0 XOR EAX ,EAX
140001125 b9 00 01 MOV param_1 ,0x100
00 00
14000112a f3 aa STOSB.REP RDI
14000112c 48 8d 0d LEA param_1 ,[s_Input_:_140002238 ] = "Input : "
05 11 00 00
140001133 e8 58 00 CALL FUN_140001190 int FUN_140001190(char * param_1
00 00
140001138 48 8d 54 LEA param_2 =>local_118 ,[RSP + 0x20 ]
24 20
14000113d 48 8d 0d LEA param_1 ,[s_%256s_140002244 ] = "%256s"
00 11 00 00
140001144 e8 a7 00 CALL FUN_1400011f0 int FUN_1400011f0(char * param_1
00 00
140001149 48 8d 4c LEA param_1 =>local_118 ,[RSP + 0x20 ]
24 20
14000114e e8 ad fe CALL FUN_140001000 bool FUN_140001000(char * param_
ff ff
140001153 85 c0 TEST EAX ,EAX
140001155 74 0f JZ LAB_140001166
140001157 48 8d 0d LEA param_1 ,[s_Correct_140002250 ] = "Correct"
f2 10 00 00
14000115e ff 15 0c CALL qword ptr [->API-MS-WIN-CRT-STDIO-L1-1-0.DLL:: = 00002adc
10 00 00
140001164 eb 0d JMP LAB_140001173
LAB_140001166 XREF[1]: 140001155 (j)
140001166 48 8d 0d LEA param_1 ,[s_Wrong_140002258 ] = "Wrong"
eb 10 00 00
14000116d ff 15 fd CALL qword ptr [->API-MS-WIN-CRT-STDIO-L1-1-0.DLL:: = 00002adc
0f 00 00
LAB_140001173 XREF[1]: 140001164 (j)
140001173 33 c0 XOR EAX ,EAX
140001175 48 8b 8c MOV param_1 ,qword ptr [RSP + local_18 ]
24 20 01
00 00
14000117d 48 33 cc XOR param_1 ,RSP
140001180 e8 5b 01 CALL __security_check_cookie void __security_check_cookie(uin
00 00
140001185 48 81 c4 ADD RSP ,0x130
30 01 00 00
14000118c 5f POP RDI
14000118d c3 RET
14000118e cc ?? CCh
14000118f cc ?? CCh
5. 정답 검증 및 최종 결론 (FUN_140001000)
x64dbg 분석 (동적 분석)
