{"id":5365,"date":"2015-12-13T05:21:49","date_gmt":"2015-12-12T20:21:49","guid":{"rendered":"https:\/\/mimumimu.net\/blog\/?p=5365"},"modified":"2015-12-13T17:46:14","modified_gmt":"2015-12-13T08:46:14","slug":"qr-puzzle-write-up","status":"publish","type":"post","link":"https:\/\/mimumimu.net\/blog\/2015\/12\/13\/qr-puzzle-write-up\/","title":{"rendered":"QR puzzle Write-up"},"content":{"rendered":"

\u3069\u3046\u3082\u307f\u3080\u3089\u3067\u3059\u3002<\/p>\n

\u51ac\u3060\uff01\u304a\u3053\u305f\u3060\uff01CTF\u3060\uff01 \u3068\u3044\u3046\u3053\u3068\u3067\u3001
\u4eca\u5e74\u3082 SECCON CTF 2015 \u306e\u30aa\u30f3\u30e9\u30a4\u30f3\u4e88\u9078\u306b\u53c2\u52a0\u3057\u307e\u3057\u305f\u3002<\/p>\n

12\u67085\u65e5\uff5e12\u67086\u65e5\u3068\u3044\u3046\u3053\u3068\u3067\u3001
\u3093\u3058\u3083\u6cca\u307e\u308a\u8fbc\u3093\u3067\u3084\u3063\u3066\u307f\u307e\u3059\u304b\u30fb\u30fb\u3068\u3044\u3046\u3053\u3068\u3067\u3001
\u5927\u5b66\u306b\u6cca\u307e\u308a\u8fbc\u3093\u3067\u3084\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n

\u30fb\u30fb\u30fb\u8ad6\u6587\u4f5c\u6210\u3067\u716e\u8a70\u307e\u3063\u3066\u3044\u305f\u306e\u3067\u3001\u6c17\u5206\u8ee2\u63db\u306b\u3082\u3044\u3044\u3088\u306d\uff01 \u3068\u3044\u3046\u3053\u3068\u3067\u3002<\/p>\n

 <\/p>\n

\u4eca\u56de\u306f\u51fa\u984c\u3055\u308c\u305f\u554f\u984c\u306e\u3046\u3061\u3001 \u201cQR-Puzzle (Windows)\u201d \u3068\u3044\u3046\u554f\u984c\u306b\u3064\u3044\u3066\u3002<\/p>\n

\u554f\u984c\u6982\u8981\u3084\u60f3\u5b9a\u89e3\u306b\u95a2\u3057\u3066\u306f\u3001\u51fa\u984c\u8005\u3067\u3042\u308b\u5c71\u5d0e\u3055\u3093\u306e\u8a18\u4e8b\u3092\u95b2\u89a7\u3057\u3066\u9802\u3051\u308c\u3070\u3068\u304a\u3082\u3044\u307e\u3059\u3002<\/p>\n

SECCON 2015\u30aa\u30f3\u30e9\u30a4\u30f3\u4e88\u9078\u306b3\u554f\u3092\u51fa\u984c\u3057\u307e\u3057\u305f\uff01 | \u30e9\u30c3\u30af\u516c\u5f0f\u30d6\u30ed\u30b0 | \u682a\u5f0f\u4f1a\u793e\u30e9\u30c3\u30af
http:\/\/www.lac.co.jp\/blog\/category\/security\/201512072.html<\/a><\/p>\n

 <\/p>\n

\u3055\u3066\u3002
CTF, Windows \u3068\u6765\u308b\u3068\u52dd\u624b\u306b\u300c\u3084\u308b\u6c17\u30b9\u30a4\u30c3\u30c1\u300d\uff08\u53e4\u3044\uff1f\uff09\u304c\u5165\u308b\u79c1\u3067\u3059\u3002<\/p>\n

\u554f\u984c\u306b\u95a2\u3057\u3066\u3053\u3093\u306a\u611f\u3058\u3067\u89e3\u304d\u307e\u3057\u305f\uff1a<\/p>\n

\n

1. \u30d5\u30a1\u30a4\u30eb\u3092\u898b\u308b\u3002<\/h3>\n

\"image\"<\/a><\/p>\n

.net !!
\u30c9\u30c3\u30c8\u30cd\u30c3\u30c8\u3067\u3059\u3088\u3001\u304a\u304f\u3055\u3093\uff01\uff01<\/p>\n

\u3053\u308c\u306f\u3082\u3046\u3001\u3053\u306e\u6642\u70b9\u3067 \u3084\u308b\u6c17\u30b9\u30a4\u30c3\u30c1<\/u><\/strong> \u304c\u5165\u308a\u307e\u3059\u3002
\u3073\u3093\u3073\u3093\u306b\u5165\u308a\u307e\u3059\u3002<\/p>\n

 <\/p>\n

\u3068\u3044\u3046\u3053\u3068\u3067\u3001\u307e\u305a\u306f\u9006\u30a2\u30bb\u30f3\u30d6\u30ea\u7d50\u679c\u3092\u898b\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n

\"image\"<\/a><\/p>\n

\u307e\u305a\u30ea\u30bd\u30fc\u30b9\u3092\u898b\u3066\u3001\u201dSmartAssembly \u306a\u306e\u304b\u306a\u3041..\u201d \u3068\u601d\u3044\u3092\u99b3\u305b\u3001<\/p>\n

\u6b21\u306b\u4f5c\u8005\u306e\u540d\u524d\u3092\u307f\u3066\u300c\u3054\u3081\u3093\u306a\u3055\u3044..\u300d\u3068\u3044\u3046\u61fa\u6094\u306e\u6c17\u6301\u3061\u306b\u306a\u308a\u3001
\u3044\u3063\u305f\u3093\u6c17\u5206\u8ee2\u63db\u306e\u70ba\u306b\u304a\u98a8\u5442\u306b\u884c\u304d\u307e\u3057\u305f\u3002<\/p>\n

\n

\u3053\u306e\u3068\u304d\u3001\u92ad\u6e6f\u306b\u3066\u3001\u98a8\u5442\u5834\u306b\u3044\u305f\u7686\u3055\u3093\u304b\u3089\u3082\u306e\u51c4\u304f\u5f37\u3044\u8996\u7dda\u3092\u611f\u3058\u3066
\u300c\u4f55\u304b\u79c1\u30df\u30b9\u3057\u3066\u308b\u304b\u306a\u30fb\u30fb\u300d\u3068\u601d\u3063\u3066\u632f\u308a\u8fd4\u3063\u305f\u3068\u3053\u308d\u3001
\u7686\u3055\u3093\u80cc\u4e2d\u3084\u8155\u306b\u7d75\u304c\u63cf\u304b\u308c\u3066\u3044\u305f\u306e\u306f\u3044\u3044\u601d\u3044\u51fa\u3067\u3059\u3002
\u3067\u3082\u305d\u306e\u3042\u3068\u300c\u6016\u3044\u4eba\u3058\u3083\u306a\u3044\u30fb\u30fb\uff01\u300d\u3068\u601d\u3046\u51fa\u6765\u3054\u3068\u3082\u3042\u308a\u307e\u3057\u3066\u3001
\u30eb\u30b7\u30a6\u30b9\u6280\u5e2b\u306e\u8a00\u8449\u3092\u601d\u3044\u51fa\u3057\u305f\u30fb\u30fb\u3068\u3044\u3046\u3053\u3068\u304c\u3042\u308a\u307e\u3057\u305f\u3002<\/p>\n<\/blockquote>\n

 <\/p>\n

\u305d\u306e\u5f8c\u3001\u3044\u3063\u305f\u3093\u81ea\u5206\u306e\u306a\u304b\u3067\u300c\u3054\u3081\u3093\u306a\u3055\u3044\u300d\u3092\u3057\u305f\u3046\u3048\u3067\u3001
\u300c\u3093\u3058\u3083\u89e3\u304f\u304b\uff01\u300d\u3068\u3044\u3046\u3053\u3068\u3067\u89e3\u6790\u3092\u59cb\u3081\u307e\u3057\u305f\u3002<\/p>\n

\n

\u3044\u3048\u3001\u4ee5\u524d\u3053\u3046\u3044\u3046\u5f62\u3067\u53d6\u308a\u4e0a\u3052\u3089\u308c\u305f\u3053\u3068\u304c\u3042\u308a\u307e\u3057\u3066\u30fb\u30fb
http:\/\/www.slideshare.net\/ymzkei5\/xss-201412089<\/a> <\/p>\n

\u307e\u305f\u3001\u3044\u308d\u3044\u308d\u3068\u304a\u4e16\u8a71\u306b\u306a\u3063\u3066\u3044\u308b\u304b\u305f\u3067\u3082\u3042\u308a\u307e\u3059\u306e\u3067\u3001\u7533\u3057\u8a33\u306a\u3044\u6c17\u6301\u3061\u304c\u3042\u3063\u305f\u306e\u3067\u3059\u304c\u3001\u300c\u3053\u308c\u306f CTF \u3060\u3002\u4eca\u306f\u7af6\u6280\u306b\u96c6\u4e2d\u3057\u3066\u3001\u7d42\u308f\u3063\u305f\u5f8c\u3001\u304a\u4f1a\u3044\u3057\u305f\u6642\u306b\u8b1d\u308c\u3070\u3044\u3044\u300d\u3068\u6c17\u6301\u3061\u3092\u5207\u308a\u66ff\u3048\u307e\u3057\u305f\u3002<\/p>\n<\/blockquote>\n

 <\/p>\n

\n

2. \u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u8d77\u52d5\u3059\u308b<\/h3>\n

\"image\"<\/a><\/p>\n

QRCode \u306e\u30d1\u30ba\u30eb\u30b2\u30fc\u30e0\u306b\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002
\u624b\u3067\u304b\u3061\u3083\u304b\u3061\u3083\u3084\u3063\u3066\u3001\u4f55\u304b\u6587\u5b57\u304c\u5f97\u3089\u308c\u308b QR \u3067\u3042\u308b\u3068\u3044\u3046\u3053\u3068\u3082\u5206\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n

\n

3. \u96e3\u8aad\u5316\u3092\u89e3\u304f<\/h3>\n

\u30d7\u30ed\u30b0\u30e9\u30e0\u304c\u3069\u3046\u3044\u3046\u3082\u306e\u304b\u5206\u304b\u3063\u305f\u3068\u3053\u308d\u3067\u3001\u96e3\u8aad\u5316\u3092\u89e3\u304d\u307e\u3059\u3002
\u306a\u3093\u3068\u306a\u304f\u96f0\u56f2\u6c17\u304b\u3089 SmartAssembly \u611f\u304c\u3057\u3066\u3044\u307e\u3057\u305f\u306e\u3067\u3001
\u305d\u306e\u96e3\u8aad\u5316\u89e3\u9664\u30c4\u30fc\u30eb\u3092\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u4e0a\u304b\u3089\u9069\u5f53\u306b\u6301\u3063\u3066\u304d\u3066\u9069\u7528\u3057\u307e\u3059\u3002<\/p>\n

 <\/p>\n

\u96e3\u8aad\u5316\u89e3\u9664\u524d\uff1a<\/p>\n

\"image\"<\/a><\/p>\n

\u96e3\u8aad\u5316\u89e3\u9664\u5f8c\uff1a<\/p>\n

\"image\"<\/a><\/p>\n

 <\/p>\n

\u8aad\u3081\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n

\n

4. Form_Load \u3092\u8aad\u3080<\/h3>\n

\u666e\u901a\u306e .net \u306a\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u8aad\u3080\u5834\u5408\u3001\u8aad\u307f\u59cb\u3081\u308b\u5834\u6240\u306f\u591a\u3005\u3042\u308b\u306e\u3067\u3059\u304c\u3001
\u753b\u9762\u306e\u521d\u671f\u5316\u90e8\u5206\u306e\u30b3\u30fc\u30c9\u3092\u898b\u308b\u3053\u3068\u3067\u3001\u4f55\u3092\u53e9\u3044\u3066\u3044\u308b\u306e\u304b\u3092\u8abf\u3079\u308b\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002<\/p>\n

\u3053\u3093\u306a\u611f\u3058\u306e\u30b3\u30fc\u30c9\u3067\u3059\u3002
\u30b9\u30bf\u30c3\u30af\u30d9\u30fc\u30b9\u306e\u51e6\u7406\u7cfb\u306a\u306e\u3067\u3001\u5f15\u6570\u3092\u7a4d\u3093\u3067\u3001\u547c\u3073\u51fa\u3057\u3066\u3001\u7d50\u679c\u306f\u7a4d\u307e\u308c\u308b\u3002\u3068\u3044\u3046\u3088\u3046\u306a\u3002<\/p>\n

\"image\"<\/a><\/p>\n

 <\/p>\n

\u3067\u3082\u3063\u3066\u3001\u6ce8\u76ee\u3057\u305f\u3044\u306e\u306f\u3053\u306e\u3042\u305f\u308a\u3002<\/p>\n

\"image\"<\/a><\/p>\n

 <\/p>\n

\u5f15\u6570\uff08\u6570\u5b57\uff09\u3092\u53d6\u3063\u3066\u3001\u8fd4\u5024\u306f\u6587\u5b57\u5217\u306b\u306a\u308b\u3002
\u306a\u3093\u3068\u306a\u304f\u7b54\u3048\u306e\u6587\u5b57\u5217\u3092\u8aad\u3093\u3067\u305d\u3046\u306a\u96f0\u56f2\u6c17\u304c\u3057\u307e\u3057\u305f\u306e\u3067\u3001\u3053\u3053\u3092\u8aad\u3093\u3067\u307f\u307e\u3059\u3002<\/p>\n

\n

\u8aad\u307f\u8fbc\u3093\u3067\u3044\u308b\u3068\u601d\u308f\u308c\u308b\u6240\u306f\u4ed6\u306b\u3082\u5e7e\u3064\u304b\u3042\u308a\u307e\u3057\u305f\u304c\u3001
\u8aad\u3080\u306e\u304c\u9762\u5012\u304f\u3055\u305d\u3046\u3060\u3063\u305f\u306e\u3067\u3084\u3081\u307e\u3057\u305f\u30fb\u30fb\u3002 <\/p>\n

\u305f\u3068\u3048\u3070\u3001\u7b54\u3048\u3092\u30e1\u30e2\u30ea\u4e0a\u3067 MD5Hash \u306b\u3057\u3066\u3044\u308b\u30fb\u30fb\u3068\u601d\u308f\u308c\u308b<\/u>\u7b87\u6240\u306a\u3069\u3001
\u5e7e\u3064\u304b\u826f\u3055\u305d\u3046\u306a\u5834\u6240\u3082\u3042\u308a\u307e\u3057\u305f\u3002<\/p>\n<\/blockquote>\n

\"image\"<\/a><\/p>\n

\u898b\u305f\u611f\u3058\u3001\u30ea\u30bd\u30fc\u30b9\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u4f55\u304b\u8aad\u307f\u51fa\u3057\u3066\u3044\u308b\u3093\u3060\u308d\u3046\u3001\u3068\u3044\u3046\u96f0\u56f2\u6c17\u304c\u4f1d\u308f\u3063\u3066\u304d\u307e\u3059\u3002<\/p>\n

\u78ba\u8a8d\u306e\u305f\u3081\u306b\u30b3\u30f3\u30b9\u30c8\u30e9\u30af\u30bf\u3082\u898b\u3066\u307f\u307e\u3059\u3068\u3001
\u81ea\u5206\u81ea\u8eab\u3092\u53d6\u5f97\u3057\u3066\u305d\u306e\u4e2d\u306e\u30ea\u30bd\u30fc\u30b9\u30d5\u30a1\u30a4\u30eb\u3092\u629c\u304d\u51fa\u3057\u305f\u5f8c\u3001
\u51e6\u7406\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u4e8b\u304c\u8aad\u3081\u307e\u3059\u306e\u3067\u3001\u3053\u306e\u4e2d\u306b\u4f55\u304b\u7b54\u3048\u306b\u7e4b\u304c\u308b\u3082\u306e\u304c\u3042\u308b\u306a\u3001\u3068\u5224\u65ad\u3067\u304d\u307e\u3059\u3002 <\/p>\n

\uff08\u5b9f\u969b\u306b\u306f\u30ea\u30bd\u30fc\u30b9\u30c7\u30fc\u30bf\u3092\u30c7\u30fc\u30bf\u3068\u3057\u3066\u629c\u304d\u51fa\u3057\u305f\u5f8c\u3001\u96e3\u8aad\u5316\u3092\u89e3\u9664\u3057\u3001\u305d\u306e\u3042\u3068\u305d\u306e\u30c7\u30fc\u30bf\u3092\u30e9\u30a4\u30d6\u30e9\u30ea\u3068\u3057\u3066\u8aad\u307f\u76f4\u3057\u3066\u3001\u4e2d\u306b\u66f8\u304b\u308c\u3066\u3044\u308b\u547d\u4ee4\u3092\u5b9f\u884c\u3059\u308b\u30b3\u30fc\u30c9\u304c\u66f8\u304b\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\uff09<\/p>\n

\"image\"<\/a><\/p>\n

\n

5.\u5185\u90e8\u30ea\u30bd\u30fc\u30b9\u3092\u5c55\u958b<\/h3>\n

\u3044\u3061\u3044\u3061\u624b\u3067\u89e3\u3044\u3066\u3082\u3044\u3044\u306e\u3067\u3059\u304c\u3001CTF \u306f\u6642\u9593\u52dd\u8ca0\u3068\u3044\u3046\u3053\u3068\u3067\u3001
\u300c\u3069\u3046\u305b\u4e00\u56de\u89e3\u3044\u305f\u30c7\u30fc\u30bf\u306f\u30e1\u30e2\u30ea\u4e0a\u306b\u6301\u3063\u3066\u308b\u3060\u308d\u30fb\u30fb\u300d\u3068\u3044\u3046\u3053\u3068\u3067\u30c7\u30fc\u30bf\u3092\u629c\u304d\u51fa\u3057\u307e\u3059\u3002<\/p>\n

\u30c7\u30d0\u30c3\u30ac\u3067\u3061\u307e\u3061\u307e\u30fc\u3063\u3068\u3084\u3063\u3066 ( \u201c.loadby sos clr\u201d \u3068\u304b\u30fb\u30fb\uff01 ) \u629c\u304d\u51fa\u3059\u3068\u3053\u3093\u306a\u611f\u3058\uff1a<\/p>\n

\"image\"<\/a><\/p>\n

\u306a\u3093\u304b\u3053\u3046\u3001\u82f1\u5358\u8a9e\u5e33\u307f\u305f\u3044\u306a Dictionary \u578b\u306e\u30c7\u30fc\u30bf\u304c\u51fa\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n

 <\/p>\n

\u3082\u3057\u304b\u3057\u3066\u30fb\u30fb\u3068\u601d\u3044\u3001\u6700\u521d\u306b\u624b\u3067\u89e3\u3044\u305f\u7b54\u3048\u306e\u6587\u5b57\u5217\u304c\u5165\u3063\u3066\u3044\u306a\u3044\u304b\u3069\u3046\u304b\u3092\u8abf\u3079\u308b\u3068\u3001
\u3053\u306e\u4e00\u89a7\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n

\u3069\u3046\u3084\u3089\u4f7f\u3048\u305d\u3046\u3067\u3059\u3002<\/p>\n

\n

6\uff0e\u6a5f\u68b0\u7684\u306b\u89e3\u304f\u3002<\/h3>\n

\u3058\u3083\u3001\u7dcf\u5f53\u305f\u308a\u3059\u308c\u3070\u3044\u3044\u3093\u3067\u3059\u304b\u306d\uff1f
\u3068\u3044\u3046\u3053\u3068\u3067\u9069\u5f53\u306b\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u66f8\u3044\u3066\u307f\u307e\u3059\u3002<\/p>\n

\uff08\u8a00\u8a9e\u306f HSP.<\/p>\n

\n
origdic=\"seccon|accept|achieve|acquire|add|advance|affect|agree|allow|appear|apply|approach|argue|assume|avoid|bear|beat|belong|bite|care|catch|claim|communicate|compare|consider|consume|contact|contain|continue|cost|count|cover|create|cross|decline|define|depend|describe|destroy|determine|develop|die|disappear|discover|draw|earn|encourage|enter|establish|excite|exist|expect|explain|express|face|fail|fear|feed|fire|fit|flow|follow|gain|gather|get|guess|hit|hold|hunt|hurt|imagine|improve|include|increase|indicate|influence|insist|introduce|invent|involve|lay|lead|lie|lose|maintain|manage|manufacture|marry|mean|mention|miss|observe|offer|perform|please|prefer|prepare|press|prevent|produce|program|protect|prove|provide|publish|raise|reach|realize|receive|recognize|reduce|refer|reflect|refuse|regard|remain|remember|reply|represent|require|reveal|rise|risk|rule|satisfy|save|search|seat|seek|seem|serve|share|solve|sound|spend|spread|stay|steal|stick|strike|struggle|suffer|suggest|support|suppose|surprise|survive|tend|treat|vary|waste|wear|win|wonder|worry|action|activity|advantage|aid|amount|area|arms|aspect|atmosphere|attempt|attitude|audience|basis|behavior|benefit|bill|birth|blood|brain|case|cause|challenge|chance|character|choice|civilization|class|clerk|communication|community|company|competition|content|control|crowd|culture|customer|damage|degree|demand|desire|detail|development|difference|difficulty|direction|disease|distance|doubt|economy|education|effect|environment|event|evidence|exchange|exercise|experience|experiment|expression|fact|factor|failure|feature|field|figure|force|form|freedom|generation|god|government|growth|habit|history|idea|industry|information|issue|kid|knowledge|labor|lack|language|law|level|life|limit|line|literature|loss|majority|mark|market|mass|material|meal|measure|method|million|mind|mistake|moment|most|movement|nation|nature|note|object|office|opinion|opportunity|order|paper|party|period|phone|place|plant|pleasure|policy|population|position|power|practice|president|price|principle|problem|process|product|production|progress|purpose|quality|range|rate|reality|reason|relation|relationship|research|respect|response|rest|result|science|sense|shape|side|sign|situation|skill|society|sort|species|speech|stage|standard|state|step|stranger|stress|structure|subject|success|supply|surface|system|task|taste|technology|temperature|term|theory|trade|traffic|truth|universe|university|value|variety|view|war|weather|weight|afraid|ancient|available|average|aware|basic|certain|close|common|complete|complex|concerned|correct|direct|dressed|due|economic|environmental|equal|essential|expensive|familiar|famous|foreign|free|full|general|healthy|heavy|huge|human|impossible|individual|industrial|international|likely|local|major|married|medical|mental|modern|national|native|natural|necessary|obvious|ordinary|original|own|particular|past|personal|physical|political|popular|possible|practical|present|private|professional|public|recent|related|right|round|scientific|separate|serious|similar|single|social|special|strange|sure|thick|traditional|useful|various|vast|whole|wrong|abroad|actually|badly|especially|eventually|exactly|extremely|forward|frequently|generally|highly|however|immediately|indeed|later|maybe|merely|naturally|otherwise|particularly|pretty|probably|quite|recently|simply|therefore|although|unless|while|except|toward|worth|behind|abandon|absorb|accomplish|accompany|accuse|adapt|admire|admit|adopt|advertise|afford|aim|alter|annoy|appeal|arise|arrange|associate|attach|attend|attract|behave|bind|block|blow|borrow|breathe|collect|combine|command|compete|complain|compose|concentrate|conclude|confuse|connect|considerable|consist|construct|contribute|convey|convince|cope|criticize|decision|declare|decrease|defeat|defend|deny|derive|devote|disappoint|discuss|dislike|display|distinguish|disturb|divide|educate|emerge|emphasize|employ|enable|encounter|entertain|estimate|examine|expand|explore|export|expose|extend|fix|frighten|govern|graduate|greet|handle|hang|hate|hesitate|hire|identify|ignore|imply|import|impress|inform|intend|interpret|isolate|judge|notice|obtain|occupy|oppose|organize|overcome|participate|pause|perceive|permit|persuade|possess|praise|predict|preserve|pretend|promote|propose|punish|purchase|pursue|quit|react|recommend|recover|reject|release|rely|remind|remove|repair|replace|reserve|respond|retire|roll|rush|select|settle|sink|smell|stare|stimulate|stretch|suit|surround|suspect|tear|threaten|transfer|transform|translate|transport|vote|warn|account|addition|address|advice|affair|agent|agreement|agriculture|alternative|ancestor|anger|anxiety|appearance|assumption|association|author|authority|automobile|background|capacity|capital|career|characteristic|charge|circumstance|citizen|climate|conclusion|condition|conduct|conference|confidence|conflict|consequence|consumption|continent|contrast|contribution|conversation|cooperation|copy|creation|crime|crisis|criticism|crop|curiosity|custom|debate|debt|decade|definition|delight|democracy|desert|destruction|device|diet|disaster|discipline|discussion|distinction|district|drug|element|employee|enemy|entertainment|error|evolution|excuse|expert|explanation|extent|faith|fate|fault|favor|flight|focus|fuel|function|genius|goal|grammar|grant|guide|harm|height|household|humanity|ideal|imagination|immigrant|impact|impression|income|independence|instruction|intelligence|item|journey|joy|judgement|laboratory|landscape|laughter|leisure|lesson|luck|manager|manner|master|match|matter|merchant|murder|necessity|neighborhood|notion|novel|observation|occasion|occupation|operation|organization|origin|pain|passage|passenger|personality|phenomenon|philosopher|philosophy|physics|plenty|politician|politics|popularity|presence|profit|project|proof|property|proportion|proverb|psychologist|quantity|reaction|region|religion|remark|reputation|revolution|reward|row|security|self|shift|shortage|sight|significance|skin|soil|soldier|solution|statement|status|stock|strength|substance|sum|survey|survival|talent|theme|thought|threat|tongue|tradition|treatment|tribe|trust|union|vehicle|victim|violence|virus|vision|vocabulary|wealth|wisdom|witness|youth|accurate|actual|alike|anxious|appropriate|asleep|attractive|awake|biological|bored|brief|capable|chemical|civilized|comfortable|complicated|conscious|constant|contemporary|contrary|convenient|creative|critical|curious|current|dependent|distant|domestic|dramatic|dull|eager|educational|effective|efficient|elderly|emotional|empty|engaged|enormous|entire|evil|extra|extraordinary|extreme|fair|FALSE|fat|favorite|female|financial|firm|former|friendly|fundamental|gentle|global|harmful|historical|honest|immediate|independent|intellectual|intelligent|internal|junior|latter|literary|medium|military|mysterious|narrow|nearby|negative|nervous|nuclear|opposite|patient|pleasant|polite|positive|potential|previous|primary|primitive|proper|proud|rare|reasonable|remarkable|responsible|rough|rural|senior|sensitive|severe|significant|silly|slight|smart|solid|specific|stupid|sudden|suitable|superior|technical|terrible|tiny|tough|typical|unique|universal|unknown|unusual|upset|urban|useless|valuable|visible|vital|wealthy|welcome|well-known|willing|absolutely|alive|apart|closely|constantly|directly|entirely|fairly|forever|fully|gradually|largely|necessarily|nevertheless|normally|obviously|occasionally|possibly|properly|rapidly|seldom|slightly|somehow|somewhat|surely|totally|unfortunately|virtually|widely|wherever|despite|unlike|acknowledge|adjust|advise|amuse|analyze|assure|astonish|beg|bend|blink|bow|broadcast|burst|bury|capture|cease|celebrate|characterize|cling|commit|confine|confirm|confront|constitute|convert|cultivate|cure|dare|delay|deliver|depress|devise|diminish|disagree|discourage|dominate|dwell|eliminate|embarrass|endure|ensure|equip|evolve|exhaust|exhibit|fascinate|float|fold|found|fulfill|gaze|generate|grasp|guarantee|guard|illustrate|imitate|impose|inclined|industrialize|inspire|interfere|interrupt|investigate|justify|leap|melt|misunderstand|neglect|nod|offend|originate|overlook|owe|pour|pray|proceed|protest|rank|relieve|request|resist|resolve|restrict|retain|review|ruin|scare|scatter|scream|secure|specialize|spoil|strengthen|substitute|suppress|swallow|sweep|trace|undergo|urge|wander|weigh|whisper|yell|absence|accent|acceptance|access|acquaintance|affection|aggression|alarm|ambition|appetite|application|appointment|arrangement|athlete|avenue|band|border|burden|campaign|candidate|cash|category|cave|cell|charm|colleague|colony|committee|companion|comparison|complaint|complexity|composition|confusion|construction|contract|convention|courage|crash|crew|critic|description|dialect|dignity|disadvantage|dispute|division|divorce|document|ecology|economics|editor|emotion|emperor|enterprise|enthusiasm|equality|era|exception|executive|expense|explosion|extinction|facility|fairy|flame|fortune|foundation|frontier|fund|funeral|fur|furniture|garbage|gene|globe|grave|ground|harmony|harvest|honor|hunger|immigration|impulse|incident|infant|inhabitant|injury|insect|insight|instinct|institution|instrument|insurance|introduction|investment|liberty|limitation|load|location|logic|lord|lung|luxury|mail|mammal|mineral|minority|mood|motive|myth|neighbor|nerve|obligation|orbit|output|owner|participant|passion|patience|perception|perspective|pile|pioneer|poison|portion|possession|preference|prejudice|privilege|profession|pronunciation|prospect|punishment|pursuit|ray|recognition|reference|reflection|relief|requirement|resident|ritual|root|sacrifice|scholar|seed|servant|shade|shame|shelter|shore|similarity|site|specialist|statistics|steam|strip|stuff|suburb|tale|telescope|tension|territory|text|tide|tip|tone|traffic jam|tragedy|trail|trait|transportation|trap|treasure|trial|trick|unemployment|version|virtue|volunteer|voyage|wage|weapon|Westerner|absolute|abstract|accustomed|additional|adequate|aggressive|amazing|annual|apparent|artificial|Atlantic|atomic|awful|based|brilliant|calm|casual|civil|classical|definite|delicate|democratic|desirable|dirty|distinct|elaborate|electrical|elementary|equivalent|evident|exact|excessive|external|frequent|generous|genuine|grand|guilty|identical|inevitable|inferior|initial|inner|intimate|invisible|keen|latest|legal|liberal|located|logical|long-term|massive|mature|mechanical|minor|mutual|numerous|odd|overwhelming|painful|passive|peculiar|permanent|plain|precious|precise|precisely|prime|principal|profound|racial|rational|raw|relative|reliable|remote|routine|rude|satisfactory|sensible|spare|spiritual|steady|strict|subtle|sufficient|tremendous|tropical|ultimate|uncomfortable|unexpected|unlikely|unpleasant|verbal|visual|widespread|aloud|altogether|barely|commonly|consequently|deliberately|effectively|essentially|firmly|increasingly|literally|practically|primarily|readily|regardless|regularly|roughly|socially|steadily|traditionally|undoubtedly|whereas|beneath\"\n\nTEXTBOXADDR = 0xA098E\nPROGBARADDR = 0x110C6A\n\nsysfont 17\nsplit origdic,\"|\",dic\nprog = 0\nrepeat\nif prog > 299 : break\nlast = \"HELLO SECCON\"\nsendmsg TEXTBOXADDR,0xC,0,last\nawait 0\nrepeat length(dic)\nsendmsg TEXTBOXADDR,0xC,0,dic(cnt)\nsendmsg PROGBARADDR,0x408\nif  prog != stat: prog = stat: title \"Q.\"+stat+\" - HIT: \"+dic(cnt): break\nloop\nloop\ntitle \"DONE.\"\n<\/pre>\n<\/div>\n
 <\/p>\n
\u4f7f\u3044\u65b9\u3068\u3057\u3066\u306f TEXTBOXADDR \u3068 PROGBARADDR \u306b\u30a6\u30a3\u30f3\u30c9\u30a6\u30cf\u30f3\u30c9\u30eb\u306e\u5024\u3092\u4e0e\u3048\u3066\u5b9f\u884c\u3059\u308c\u3070\u3001
\n  
\u3042\u3068\u306f3\u5206\u7a0b\u5ea6\u307b\u3063\u305f\u3089\u304b\u3057\u3066\u7f6e\u304f\u3060\u3051\u3067\u7b54\u3048\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u4ed5\u639b\u3051\u3068\u3057\u3066\u306f\u3001<\/p>\n
1. \u30c6\u30ad\u30b9\u30c8\u30dc\u30c3\u30af\u30b9\u306b WM_SETTEXT (0xC) \u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u9001\u308a\u3001\u4efb\u610f\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u3067\u521d\u671f\u5316\u3059\u308b\u3002
\n  
https:\/\/msdn.microsoft.com\/ja-jp\/library\/windows\/desktop\/ms632644(v=vs.85).aspx<\/a><\/p>\n
2. \u30c6\u30ad\u30b9\u30c8\u30dc\u30c3\u30af\u30b9\u306b\u53d6\u5f97\u3057\u305f\u8f9e\u66f8\u306e\u5358\u8a9e\u3092\u4e00\u3064\u53d6\u308a\u51fa\u3057\u3066\u9001\u308b\u3002<\/p>\n
3. \u30d7\u30ed\u30b0\u30e9\u30e0\u30d0\u30fc\u306b PBM_GETPOS (0x408) \u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u6295\u3052\u3066\u73fe\u5728\u306e\u9032\u6357\u3092\u8abf\u3079\u308b\u3002
\n  
https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb760830(v=vs.85).aspx<\/a><\/p>\n
4. \u9032\u6357\u304c 299 \u3092\u8d85\u3048\u3066\u3044\u308c\u3070\u30bd\u30eb\u30d0\u3092\u7d42\u4e86\u3059\u308b\u3002<\/p>\n
\u3068\u3044\u3046\u3088\u3046\u306a\u6d41\u308c\u3067\u3059\u3002<\/p>\n
 <\/p>\n
\n
Appendix.<\/h3>\n
\u3058\u3083\u3001\u3069\u3046\u3084\u3063\u3066\u5b88\u308c\u3070\u3044\u3044\u306e\u3068\u3044\u3046\u3068\u3053\u308d\u3067\u3059\u304c\u30fb\u30fb\u3002
\n  
\u79c1\u3082\u30d7\u30ec\u30a4\u30e4\u30fc\u3067\u3059\u306e\u3067\u8a73\u3057\u304f\u66f8\u304f\u3068\u8272\u3005\u3068\u5bfe\u7b56\u3055\u308c\u305d\u3046\u306a\u306e\u3067\u30dc\u30bd\u30dc\u30bd\u30c3\u3068\u3002<\/p>\n
\uff08\u3067\u3082\u3082\u3046\u3001\u805e\u304b\u308c\u305f\u3089\u7b54\u3048\u3088\u3046\u304b\u306a\u3068\u3082\u601d\u3063\u3066\u307e\u3059\u3002\u3002<\/p>\n
\u305f\u3068\u3048\u3070\u4eca\u56de\u79c1\u304c\u4f7f\u7528\u3057\u305f SendMessage \u7cfb\u306f
\n  
Windows \u306e\u6614\u306a\u304c\u3089\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304c\u554f\u984c\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u305f\u70ba\u306b\u4f7f\u3048\u305f\u3068\u3044\u3046\u3068\u3053\u308d\u304c\u3042\u308a\u3001<\/p>\n
\u305d\u3046\u3067\u306a\u3051\u308c\u3070\u9632\u3052\u305f\u306e\u304b\u306a\u3068\u3082\u3002<\/p>\n
\u3042\u3068\u306f\u3001\u30e1\u30e2\u30ea\u306b\u5c55\u958b\u3057\u305f\u30c7\u30fc\u30bf\u3092\u305d\u306e\u307e\u307e\u306b\u3057\u3066\u304a\u304f\u3068\u3044\u3046\u306e\u3082\u3001\u3042\u3093\u307e\u308a\u30fb\u30fb\u3068\u601d\u3063\u3066\u307f\u305f\u308a\u3002
\n  
\u305d\u308c\u4ee5\u5916\u306b\u3082\u6c17\u306b\u306a\u3063\u305f\u70b9\u306f\u3044\u304f\u3064\u304b\u3042\u308a\u307e\u3057\u305f\u3002<\/p>\n
\u30fb\u30fb\u30fb\u6642\u9593\u304c\u51fa\u6765\u305f\u3089\u3001\u79c1\u304c\u3082\u3057\u4f5c\u554f\u8005\u5074\u306a\u3089\u3069\u3046\u5bfe\u7b56\u3057\u3088\u3046\u30fb\u30fb\u3068\u3044\u3046\u306e\u3092\u5b9f\u9a13\u3057\u3066\u30d6\u30ed\u30b0\u8a18\u4e8b\u3092\u66f8\u3044\u3066\u307f\u305f\u3044\u3068\u3053\u308d\u3067\u3059\u3002<\/p>\n
\n
\u305d\u3093\u306a\u3053\u3093\u306a\u3067\u3001\u4e45\u3057\u3076\u308a\u306b CTF \u3067\u30ef\u30a4\u30ef\u30a4\u3057\u305f\u3001\u305d\u3093\u306a2\u65e5\u9593\uff08\uff1f\uff09\u3067\u3057\u305f\u3002
\n  
\uff08\u305d\u3093\u306a\u308f\u3051\u3067\u3001 CTF Advent Calendar 2015 \u306e\u8a18\u4e8b\u306b\u3082\u3057\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u3069\u3046\u3082\u307f\u3080\u3089\u3067\u3059\u3002 \u51ac\u3060\uff01\u304a\u3053\u305f\u3060\uff01CTF\u3060\uff01 \u3068\u3044\u3046\u3053\u3068\u3067\u3001 \u4eca\u5e74\u3082 SECCON CTF 2015 \u306e\u30aa\u30f3\u30e9\u30a4\u30f3\u4e88\u9078\u306b\u53c2\u52a0\u3057\u307e\u3057\u305f\u3002 12\u67085\u65e5\uff5e12\u67086\u65e5\u3068\u3044\u3046\u3053\u3068\u3067\u3001 \u3093\u3058\u3083\u6cca\u307e\u308a\u8fbc\u3093\u3067\u3084\u3063\u3066\u307f\u307e\u3059\u304b\u30fb\u30fb\u3068\u3044\u3046\u3053 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[595,471],"class_list":["post-5365","post","type-post","status-publish","format-standard","hentry","category-other","tag-qr","tag-seccon"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts\/5365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/comments?post=5365"}],"version-history":[{"count":0,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts\/5365\/revisions"}],"wp:attachment":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/media?parent=5365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/categories?post=5365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/tags?post=5365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}