What’s up everyone? It’s been quite a while. This is just going to be an easy little puzzle for you guys to play around with. I got bored in class so I decided to make a fake login in C.
There are 3 intended solutions to this, but those are for you to find out!
The code for the puzzle can be found here: http://pastebin.com/T9XA0gjS
BUT! If you want to solve the puzzles without looking at the code first, just follow this:
I’ll have my 3 solutions in the spoilers below. Have fun!
The first solution is the easiest. We can simply overflow the buffer used to store the given password to change the value of the “valid” integer to a non-zero number, which will evaluate to true when it’s checked.
The second solution is a bit harder, but still pretty easy. We’ll start by using objdump on our executable to get the assembly for all of the funtions:
Now that we have this dump file, let’s take a look in it. We’ll scroll all the way down to the assembly for the main function. BUT, what’s this? Right above the main function we can see there is another function that is hidden from us:
But, if we look at the main function, this secret function is never called. But don’t worry, GDB to the rescue! We can changed the EIP to point to the secret function, and force it to execute:
Now if we let the program finish, we should see the output of the secret function:
Our last solution is the largest pain in the ass out the 3. When we execute our login, the values are juggled around in the registers, as usual. BUT, using GDB, we can read these registers and find the password while it’s being tested.
To do this, we just start our login in GDB normally:
Now that we’re here, let’s disassemble this program and take a look at the assembly. Specifically, we’re going to look where the gets() function is called, and the instructions that follow it:
Here we can see that after gets() is called, there’s a lot of movement done with the EAX register. So, if we monitor the EAX register, we might be able to find something. We’ll use the display command to show whats in EAX every time we step through an instruction.
This is what a change in EAX will look like, that number to the right will change. Now, let’s step through our program until we’re prompted for a password, then we’ll start paying attention to this number:
Now that we’ve been prompted for the password, let’s keep an eye on EAX until it changes again:
There we go. Now, if we use “x/s” to convert to contents of the address currently stored in EAX to a string, we should have the password for our login: