------------------------------------------------------------------------------ ÆÐÄ¡ °­Á No. 3 - 22 / 09 / 98 ÇÁ·Î±×·¥ : õ¸®¾È ¹Ùº§ 2.0 Á¤Ç° ( Babel 2.0 ) : ÀÎÁõÀýÂ÷ ÆÐÄ¡ »ç¿ë Åø : Soft-Ice Version 3.23 Reg , W32Dasm Version 8.9 Reg ------------------------------------------------------------------------------ ¾È³ç Çϼ¼¿ä.. 3¹ø° °­Á·Πã¾Æ ºË½À´Ï´Ù. ½Ã°£ÀÌ ¾ø¾î¼­¿ä... °­Á°¡ ´Ê±â ³ª¿ÈÀ» Á˼۽º·´°Ô »ý°¢ ÇÕ´Ï´Ù. À̹ø°­Á¿¡¼­µµ ´«Ä¡¸¦ »ì»ì »ìÇǽñ⠹ٶø´Ï´Ù. ´«À» Å©°Ô ¶ß°í! À̹ø¿¡´Â õ¸®¾È ¹Ùº§ 2.0ÀÇ ÀÎÁõ °úÁ¤À» ÆÐÄ¡ ½ÃÄÑ º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù. ÀÌ ÇÁ·Î±×·¥À» ½ÇÇà ½ÃÅ°½Ã¸é URL â¿¡ "õ¸®¾È ºÎ°Å¼­ºñ½º BabelÀ¥ »çÀÌÆ®¿¡ Á¢¼ÓÇϼ¼¿ä" ¶ó´Â ±ÛÀÌ ¾²¿©Á® ÀÖ°í.. ¾Æ¹« ¹öÆ°À̳ª ´­¸£¸é "Babel homepage¿¡ Á¢¼ÓÇϼż­ ÀÎÁõÀ» ¹ÞÀ¸¼Å¾ß BabelÀ» »ç¿ëÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù" "ÀÎÁõ°úÁ¤À» °ÅÄ¡½Ã°Ú½À´Ï±î?" ÀÌ·± ¸Þ¼¼Áö¸¦ »Ñ·ÁÁÖ¸ç ÀÎÁõÀ» Çϱ⸦ ¿äû ÇÕ´Ï´Ù. À§ÀÇ ¸Þ¼¼Áö¹Ú½º À¯ÇüÀ¸·Î º¼¶§ º¸Åë ÀÌ·± ÇÔ¼ö¸¦ ¾¹´Ï´Ù. Bpx createdialogindirectparama Bpx createdialogparama Bpx dialogboxparama Bpx dialogboxindirectparama Bpx dialogbox À§ÀÇ ÇÔ¼öµéÀ» »ç¿ë ÇÕ´Ï´Ù. ±×·¯³ª ÀÌ ÇÁ·Î±×·¥¿¡¼­´Â À§ÀÇ ÇÔ¼öµéÀÌ ¸ÔÇôµéÁö ¾Ê½À´Ï´Ù. ¹«½¼ ÇÔ¼ö¸¦ »ç¿ëÇÏ¿©¾ß ÇÒ ±î¿ä!? À§ÀÇ ÇÔ¼ö°¡ ÀâÈ÷Áö ¾Ê´Â´Ù¸é ´ÙÀ½ ÇÔ¼ö¸¦ »ç¿ë ÇϽʽÿä. Bpx updatewindow À§ÀÇ ÇÔ¼ö¸¦ ¹Ùº§À» ½ÇÇàÇÏ°í ³ª¼­ ¼Ò¾Æ È­¸éÀ» ¶Ù¿ì°í ºê·¹ÀÌÅ© Æ÷ÀÎÆ®¸¦ °É¾î ÁÝ´Ï´Ù. ±×·±´ÙÀ½ ¿¹·Î ¹ø°³ Ç¥½Ã¸¦ ´­·¯ º¼±î¿ä?? ±×·³.. USER32!UpdateWindow ÀÌ °÷¿¡¼­ ¼Ò¾Æ È­¸éÀÌ ¶ã °Í ÀÔ´Ï´Ù. ÀÌ °÷Àº USER32.DLL ÀÇ ¾È ÀÔ´Ï´Ù. F7 ¹øÀ» ´­·¯ ÁÖ¼¼¿ä!! XXXX:5F41A755 ÀÌ·±°÷.. ÀÌ °÷ÀÌ ¾îµðÀÎÁö ±Ã±ÝÇϽŠºÐÀº À§ÀÇ ÁÖ¼Ò ºÎºÐ¿¡¼­ ¸¶¿ì½º ¿À¸¥ÂÊ ¹öÆ°À» Ŭ¸¯ ÇϽʽÿä.. ±×·±´ÙÀ½ Display ¸¦ Ŭ¸¯ÇϽøé DATA Window ¿¡ MFC42!. ¹¹ ÀÌ·±½ÄÀ¸·Î ³ª¿Ã °Í ÀÔ´Ï´Ù. ±×·³ ÀÌ ºÎºÐÀº MFC42.DLL ÀÇ ¾ÈÀ̶ó°í ÇÒ ¼ö ÀÖ°ÚÁÒ! ¿ì¸®°¡ ã¾Æ¼­ Æ®·£½Ì ÇØ¾ß ÇÒ °÷Àº WindowÀÇ DLL ÆÄÀÏ ¾ÈÀÌ ¾Æ´Ï¶ó.. ¿ì¸®°¡ ½ÇÇàÇÑ ½ÇÇàÆÄÀÏÀÇ ¸Þ¸ð¸®´Ï±î.. ´Ù½Ã °è¼ÓÇÏ¿© F7 ¹øÀ» ÀÔ·ÂÇϽʽÿä! F7 ¹øÀ» ÀÔ·ÂÇÏ¸é ±× ÀÎÁõÇ϶ó´Â ¹Ú½º°¡ ¶å´Ï´Ù. ±×·³ Ãë¼Ò¸¦ ´©¸£°í.. XXXX:5F401C8D -> ÀÌ°÷µµ Windows DLL ´Ù½Ã F7 ¹ø!!! XXXX:414291 -> ÀÌÁ¦¾ß ã¾Ò±º¿ä.. À§ÀÇ ÁÖ¼Ò ºÎºÐ¿¡¼­ ¸¶¿ì½º ¿À¸¥ÂÊ Å°¸¦ ´©¸£½Ã°í Display Çغ¸½Ã¸é BA20C!. ÀÌ·±½ÄÀ¸·Î ³ª¿Ã °Í ÀÔ´Ï´Ù. ±×·³ ÀÌ °÷¿¡¼­ ºÎÅÍ´Â À¯½ÉÈ÷ ºÁ¾ß °ÚÁö¿ä! ¾Æ·¡ÀÇ ¼Ò½º´Â ±æ°Ô ³ªÅ¸³»°Ú½À´Ï´Ù..!!! ÁË¼Û ÇÕ´Ï´Ù. ¼Ò½º°¡ ¿ö³« ±æ±â ¶«½Ã.! **************** ¾Æ·¡¿¡ ºÎºÐ¿¡¼­ ´«¿©°Ü º¼ °ÍÀº ÀÎÁõÀ» Çß³Ä!? ÇÏÁö ¾Ê¾Ò³Ä?! ¸¦ ¾î´À °÷¿¡ ÀúÀå À» ÇÏ´Â Áö¸¦ ã¾Æ¾ß ÇÕ´Ï´Ù. **************** **:0041417C 8B87A0190000 mov eax, dword ptr [edi+000019A0] **:00414182 85C0 test eax, eax **:00414184 0F84B2000000 je 0041423C **:0041418A 8B442414 mov eax, dword ptr [esp+14] -> À§ ºÎºÐÀ» ¼öÁ¤ÇÒ °Í ÀÔ´Ï´Ù. -> ¾î¶»°Ô ¼öÁ¤ ÇÒ²¨³Ä!!?? -> mov dword ptr [48617c],1 jmp 41423c ¿ø·¡ÄÚµå => 8B 87 A0 19 00 00 85 C0 0F 84 B2 00 00 00 8B ¼öÁ¤ÄÚµå => C7 05 7C 61 48 00 01 00 00 00 E9 61 00 00 00 -> ÀÌ·¸°Ô ÀÓÀÇ ÀûÀ¸·Î ¹Ù²Ù¾î ÁÝ´Ï´Ù -> ±×·³!!! ¾Æ·¡¿¡ ¸ðµç ºÎºÐ¿¡¼­ [48617c] = 1 ÀÌ µÇ´Ï±î. °è¼ÓÇÏ¿© ÀÎÁõÀ» ÇÑ °ÍÀ¸·Î ÆÇ´Ü..!! ±×·³ ÆÐÄ¡ ³¡!!!!!!!!!!!!!!!! :0041418E 85C0 test eax, eax :00414190 0F84A6000000 je 0041423C :00414196 6860604800 push 00486060 :0041419B B960614800 mov ecx, 00486160 :004141A0 E8FBB60400 Call 0045F8A0 :004141A5 8B8FA0190000 mov ecx, dword ptr [edi+000019A0] :004141AB 6AFF push FFFFFFFF :004141AD E836DCFEFF call 00401DE8 :004141B2 B960614800 mov ecx, 00486160 :004141B7 E80CB90400 Call 0045FAC8 * Possible StringData Ref from Data Obj ->"CGI-BIN/BABEL20.CGI" | :004141BC 6810234700 push 00472310 :004141C1 B960614800 mov ecx, 00486160 :004141C6 E8F7B80400 Call 0045FAC2 :004141CB 83F8FF cmp eax, FFFFFFFF :004141CE 746C je 0041423C :004141D0 6860614800 push 00486160 :004141D5 B970614800 mov ecx, 00486170 :004141DA C7057C61480001000000 mov dword ptr [0048617C], 00000001 -> ÀÌ ºÎºÐ¿¡¼­ ÈùÆ®¸¦ ¾ò¾î¾ßÁö! :004141E4 E8C3B60400 Call 0045F8AC :004141E9 6A00 push 00000000 :004141EB 6A00 push 00000000 :004141ED 68E8224700 push 004722E8 :004141F2 E88DB70400 Call 0045F984 -> ¹Ùº§ ÀÎÁõ°úÁ¤À» ³¡¸¶ÃƽÀ´Ï´Ù! -> ÀÎÁõ°úÁ¤À» ³¡¸¶Ä¡´Ù´Ï.!! ±×·³ º¯ÇÑ°ÍÀº ??!! -> À§¿¡ mov dword ptr [0048617C], 00000001 ÀÌ ºÎºÐÀÌ -> º¸À̽󪿩!????? :004141F7 6860614800 push 00486160 :004141FC 8D8FF4030000 lea ecx, dword ptr [edi+000003F4] :00414202 E8A5B60400 Call 0045F8AC :00414207 6A00 push 00000000 :00414209 8BCF mov ecx, edi :0041420B E81CB80400 Call 0045FA2C :00414210 8D4C2428 lea ecx, dword ptr [esp+28] :00414214 C684249000000000 mov byte ptr [esp+00000090], 00 :0041421C E8EFB80400 Call 0045FB10 :00414221 8D4C2410 lea ecx, dword ptr [esp+10] :00414225 C7842490000000FFFFFFFF mov dword ptr [esp+00000090], FFFFFFFF :00414230 E80BB60400 Call 0045F840 :00414235 33C0 xor eax, eax :00414237 E949010000 jmp 00414385 :0041423C 8D4C2428 lea ecx, dword ptr [esp+28] :00414240 C684249000000000 mov byte ptr [esp+00000090], 00 :00414248 E8C3B80400 Call 0045FB10 :0041424D 83CEFF or esi, FFFFFFFF :00414250 8D4C2410 lea ecx, dword ptr [esp+10] :00414254 89B42490000000 mov dword ptr [esp+00000090], esi :0041425B E8E0B50400 Call 0045F840 :00414260 EB03 jmp 00414265 :00414262 83CEFF or esi, FFFFFFFF :00414265 A17C614800 mov eax, dword ptr [0048617C] <= ÀÌ°Ç ¹¹¿©! *******************************-> eax = [48617c] -> ÀÌ ºÎºÐ¿¡¼­ eax = 0 À̶ó¸é ¾Æ·¡°¡ No Jump -> ÀÌ ºÎºÐ¿¡¼­ eax = 1 À̶ó¸é ¾Æ·¡°¡ Jump test eax, eax :0041426C 0F850E010000 jne 00414380 -> ÀÌ ºÎºÐ¿¡¼­ ¸¸¾à¿¡ No Jump ¸¦ ÇÑ´Ù¸é ¹Ù·Î -> ¾Æ·¡¿¡ ÀÖ´Â ÀÎÁõ ¿äû ¹Ú½º¸¦ º¸¿©ÁÜ *******************************-> ÀÌ ºÎºÐÀÌ Jump °¡ µÇ·Á¸é!!!! :00414272 6A00 push 00000000 :00414274 8D4C242C lea ecx, dword ptr [esp+2C] :00414278 E871D5FEFF call 004017EE :0041427D 8D4C2428 lea ecx, dword ptr [esp+28] :00414281 C784249000000002000000 mov dword ptr [esp+00000090], 00000002 :0041428C E883B40400 Call 0045F714 -> ÀÎÁõ ¿äû ¹Ú½º :00414291 83F802 cmp eax, 00000002 -> ¾Æ´Ï¿À¸¦ Ŭ¸¯ÇÞ³Ä!? :00414294 0F84D2000000 je 0041436C -> ¾Æ´Ï¿À¸¦ Ŭ¸¯ÇßÀ¸¸é Jump :0041429A 8BCF mov ecx, edi :0041429C E85CD0FEFF call 004012FD :004142A1 686C614800 push 0048616C :004142A6 B970614800 mov ecx, 00486170 :004142AB E8FCB50400 Call 0045F8AC :004142B0 8B8FA0190000 mov ecx, dword ptr [edi+000019A0] :004142B6 85C9 test ecx, ecx :004142B8 0F84AE000000 je 0041436C :004142BE 8D542414 lea edx, dword ptr [esp+14] :004142C2 52 push edx :004142C3 E89BD8FEFF call 00401B63 :004142C8 51 push ecx :004142C9 8D442418 lea eax, dword ptr [esp+18] :004142CD B303 mov bl, 03 :004142CF 8BCC mov ecx, esp :004142D1 89642414 mov dword ptr [esp+14], esp :004142D5 50 push eax :004142D6 889C2498000000 mov byte ptr [esp+00000098], bl :004142DD E844B70400 Call 0045FA26 :004142E2 51 push ecx :004142E3 C684249800000004 mov byte ptr [esp+00000098], 04 :004142EB 8BCC mov ecx, esp :004142ED 89642420 mov dword ptr [esp+20], esp :004142F1 6860604800 push 00486060 :004142F6 E8D5B50400 Call 0045F8D0 :004142FB 51 push ecx :004142FC C684249C00000005 mov byte ptr [esp+0000009C], 05 :00414304 8BCC mov ecx, esp :00414306 89642428 mov dword ptr [esp+28], esp :0041430A 6860604800 push 00486060 :0041430F E8BCB50400 Call 0045F8D0 :00414314 6A00 push 00000000 :00414316 56 push esi :00414317 51 push ecx :00414318 C68424A800000006 mov byte ptr [esp+000000A8], 06 :00414320 8BCC mov ecx, esp :00414322 89642438 mov dword ptr [esp+38], esp :00414326 6860604800 push 00486060 :0041432B E8A0B50400 Call 0045F8D0 :00414330 51 push ecx :00414331 C68424AC00000007 mov byte ptr [esp+000000AC], 07 :00414339 8BCC mov ecx, esp :0041433B 89642440 mov dword ptr [esp+40], esp :0041433F 6870614800 push 00486170 :00414344 E8DDB60400 Call 0045FA26 :00414349 8B8FA0190000 mov ecx, dword ptr [edi+000019A0] :0041434F 889C24AC000000 mov byte ptr [esp+000000AC], bl :00414356 E8AFD1FEFF call 0040150A :0041435B 8D4C2414 lea ecx, dword ptr [esp+14] :0041435F C684249000000002 mov byte ptr [esp+00000090], 02 :00414367 E8D4B40400 Call 0045F840 -> À§ ºÎºÐÀº ÀÎÁõÀ» ÇÏ´Â ºÎºÐ!! ¾µ´Ù¸® ¾øÀ½! -> ¾Æ·¡ ºÎºÐÀ» Áö³ªÄ¡¸é eax = 0 À¸·Î ¸¸µé¾î¼­ ret -> ±×·³ ÀÎÁõ ½ÇÆÐÁö!! :0041436C 8D4C2428 lea ecx, dword ptr [esp+28] :00414370 89B42490000000 mov dword ptr [esp+00000090], esi :00414377 E8D6B40400 Call 0045F852 :0041437C 33C0 xor eax, eax -> eax = 0 :0041437E EB05 jmp 00414385 -> À̦À¸·Î Jump ¸¦ ÇØ¾ß eax = 1 ·Î ret -> ÀÌ call ºÎºÐÀ» ºüÁ® ³ª°¡¸é eax ¸¦ °Ë»çÇÏ¿© -> ¹ø¿ªÀ» ÇÒ²«°¡ ÇÏÁö ¾ÊÀ» ²«°¡¸¦ ÆÇ´Ü.. :00414380 B801000000 mov eax, 00000001 -> eax = 1 :00414385 8B8C2488000000 mov ecx, dword ptr [esp+00000088] :0041438C 5F pop edi :0041438D 5E pop esi :0041438E 5D pop ebp :0041438F 64890D00000000 mov dword ptr fs:[00000000], ecx :00414396 5B pop ebx :00414397 81C484000000 add esp, 00000084 :0041439D C3 ret -> Á¾·á ÈÞ?! ³Ê¹« °£´ÜÇÑ °ÍÀ» ³Ê¹« ±æ°Ô ¼³¸íÀ» ÇÏ¿´³ª!! ´«Ä¡ Àß º¸¼Ì¾î¿©!!?? ÀÌ ÇÁ·Î±×·¥¿¡¼­´Â [48617C] ¶ó´Â ÁÖ¼Ò¿¡ ÀÎÁõÀ» ÇÏ¿´À¸¸é 1 À» ÀÎÁõÀ» ÇÏÁö ¾Ê¾ÒÀ» °æ¿ì¿¡´Â 0 À» ÀúÀåÇÏ°Ô µÇ¾î ÀÖ½À´Ï´Ù. ±×·¯´Ï ÀÓÀÇÀûÀ¸·Î [48617C] ÀÌ ºÎºÐÀ» 1 ·Î ¸¸µé¾î ÁÖ¸é ¸ðµç °÷ÀÌ ´Ù ÀÎÁõÇÑ°ÍÀ¸·Î ÆÇ´ÜÇÏ°í ¾ðÁ¦³ª ÀÎÁõ°úÁ¤À» °ÅÄ¡Áö ¾Ê°í »ç¿ë ÇÒ ¼ö ÀÖ°ÚÁÒ!? ³¡..