ssh [email protected] -p2224
objdump -S /levels/level01
According to the assemble codes, you could guess the source looks like:
char password[10];
void pass(){
// update the password
}
int main(int argc, const char *argv[]) {
if (argc != 2) {
printf("You need to supply a password.\nUsage: ./level01 [password]");
}
pass();
if (! strcmp(pass, argv[1])) {
// fail
}
else {
// success
}
}
Let's take a look at the assemble code of pass():
0804852d <pass>:
804852d: 55 push %ebp
804852e: 89 e5 mov %esp,%ebp
8048530: 83 ec 04 sub $0x4,%esp
8048533: c7 45 fc 40 91 04 08 movl $0x8049140,-0x4(%ebp)
804853a: c7 05 40 91 04 08 53 movl $0x53,0x8049140
8048541: 00 00 00
8048544: c7 05 44 91 04 08 65 movl $0x65,0x8049144
804854b: 00 00 00
804854e: c7 05 48 91 04 08 63 movl $0x63,0x8049148
8048555: 00 00 00
8048558: c7 05 4c 91 04 08 72 movl $0x72,0x804914c
804855f: 00 00 00
8048562: c7 05 50 91 04 08 65 movl $0x65,0x8049150
8048569: 00 00 00
804856c: c7 05 54 91 04 08 74 movl $0x74,0x8049154
8048573: 00 00 00
8048576: c7 05 58 91 04 08 50 movl $0x50,0x8049158
804857d: 00 00 00
8048580: c7 05 5c 91 04 08 57 movl $0x57,0x804915c
8048587: 00 00 00
804858a: c7 05 60 91 04 08 00 movl $0x0,0x8049160
8048591: 00 00 00
8048594: c9 leave
8048595: c3 ret
$0x8049140 is the address of the password string. Open irb and concate all the hex numbers:
1.9.3p286 :009 > "\x53\x65\x63\x72\x65\x74\x50\x57"
So we've got the password of level2: tLmf7msJTJHEpw