Skip to content

Latest commit

 

History

History
107 lines (92 loc) · 3.85 KB

379.md

File metadata and controls

107 lines (92 loc) · 3.85 KB

PIN

  1. Running the executable file tells us that it requires a PIN as input, which will then be compared with the correct PIN in the program. PIN is the flag.

  2. Start gdb, set a breakpoint and disas main():

    gdb ./rev1
    (gdb) break main
Breakpoint 1 at 0x4005da
(gdb) r
Starting program: /home/harshit/Downloads/rev1 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, 0x00000000004005da in main ()
(gdb) disas main
Dump of assembler code for function main:
    0x00000000004005d6 <+0>:    push   %rbp
    0x00000000004005d7 <+1>:    mov    %rsp,%rbp
=>  0x00000000004005da <+4>:    sub    $0x10,%rsp
    0x00000000004005de <+8>:    lea    0xdf(%rip),%rdi        # 0x4006c4
    0x00000000004005e5 <+15>:   mov    $0x0,%eax
    0x00000000004005ea <+20>:   call   0x4004a0 <printf@plt>
    0x00000000004005ef <+25>:   lea    -0x4(%rbp),%rax
    0x00000000004005f3 <+29>:   mov    %rax,%rsi
    0x00000000004005f6 <+32>:   lea    0xd6(%rip),%rdi        # 0x4006d3
    0x00000000004005fd <+39>:   mov    $0x0,%eax
    0x0000000000400602 <+44>:   call   0x4004b0 <__isoc99_scanf@plt>
    0x0000000000400607 <+49>:   mov    -0x4(%rbp),%eax
    0x000000000040060a <+52>:   mov    %eax,%edi
    0x000000000040060c <+54>:   call   0x4005b6 <cek>
    0x0000000000400611 <+59>:   test   %eax,%eax
    0x0000000000400613 <+61>:   je     0x400623 <main+77>
    0x0000000000400615 <+63>:   lea    0xba(%rip),%rdi        # 0x4006d6
    0x000000000040061c <+70>:   call   0x400490 <puts@plt>
    0x0000000000400621 <+75>:   jmp    0x40062f <main+89>
    0x0000000000400623 <+77>:   lea    0xba(%rip),%rdi        # 0x4006e4
    0x000000000040062a <+84>:   call   0x400490 <puts@plt>
    0x000000000040062f <+89>:   mov    $0x0,%eax
    0x0000000000400634 <+94>:   leave
    0x0000000000400635 <+95>:   ret
End of assembler dump.

    The code looks like it calls a function cek(), depending on whose return value (zero or non-zero), different puts are encountered.

  3. Disassemble cek():

    (gdb) disas cek
Dump of assembler code for function cek:
0x00000000004005b6 <+0>:    push   %rbp
0x00000000004005b7 <+1>:    mov    %rsp,%rbp
0x00000000004005ba <+4>:    mov    %edi,-0x4(%rbp)
0x00000000004005bd <+7>:    mov    0x200a7d(%rip),%eax        # 0x601040 <valid>
0x00000000004005c3 <+13>:   cmp    %eax,-0x4(%rbp)
0x00000000004005c6 <+16>:   jne    0x4005cf <cek+25>
0x00000000004005c8 <+18>:   mov    $0x1,%eax
0x00000000004005cd <+23>:   jmp    0x4005d4 <cek+30>
0x00000000004005cf <+25>:   mov    $0x0,%eax
0x00000000004005d4 <+30>:   pop    %rbp
0x00000000004005d5 <+31>:   ret
End of assembler dump.

    cmp instruction compares the arg with value stored in eax, acc to which the function returns 0 or 1

  4. Set a breakpoint at the cmp instruction:

    (gdb) break *cek+13
Breakpoint 2 at 0x4005c3
(gdb) c
Continuing.
Masukan PIN = 1234

Breakpoint 2, 0x00000000004005c3 in cek ()
(gdb) i r
rax            0x51615             333333
rbx            0x7fffffffdee8      140737488346856
rcx            0x0                 0
rdx            0x0                 0
rsi            0x4d2               1234
rdi            0x4d2               1234
rbp            0x7fffffffdda0      0x7fffffffdda0
rsp            0x7fffffffdda0      0x7fffffffdda0
.
.
.

    Value at rax (eax is the low 32 bits of rax) is 333333 which might be the correct PIN.

  5. Verify:

    Masukan PIN = 1234
PIN salah !
    Masukan PIN = 333333
PIN benar !