esrever
October 22nd, 2010, 22:15
Hi all,
I've been searching information for Smash the Stack wargames and found this thread.
http://www.woodmann.com/forum/showthread.php?7932-Reverse-Engineering-Challenges!!!&highlight=smashthestack
However, there is no detail discussion about the wargames itself.
I've been trying one of the challenge at blackbox.smashthestack.org and stuck at this. Hopefully someone can guide me how to solve this problem.
Thanks
View all the files in the current directory
Checking the type of the file
Trying to execute the LSB executable file.. Looks like this file is asking for password
I know the password is hidden somewhere in the file. So I've ran gdb to see the content of the file. (Actually there is other easy way to get the hidden message, but I wanted to learn how to use gdb in order to get this message)
To view the assembly code for the function "main"
I'm stuck at this
. Which instruction should I look at in order to find the hidden message?
I've been searching information for Smash the Stack wargames and found this thread.
http://www.woodmann.com/forum/showthread.php?7932-Reverse-Engineering-Challenges!!!&highlight=smashthestack
However, there is no detail discussion about the wargames itself.
I've been trying one of the challenge at blackbox.smashthestack.org and stuck at this. Hopefully someone can guide me how to solve this problem.
Thanks
View all the files in the current directory
Quote:
| level1@blackbox:~$ ls -las total 1184 4 drwxr-x--- 2 level1 level1 4096 Jul 9 2009 . 4 drwxr-xr-x 16 root root 4096 Dec 20 2009 .. 0 lrwxrwxrwx 1 root root 9 Jun 17 2009 .bash_history -> /dev/null 4 -rw-r--r-- 1 level1 level1 567 Dec 29 2007 .bash_profile 4 -rw-r--r-- 1 level1 level1 1834 Jan 28 2008 .bashrc 1168 -rws--xr-x 1 level2 level2 1189337 Jan 12 2008 login2 |
Checking the type of the file
Quote:
| level1@blackbox:~$ file login2 login2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, for GNU/Linux 2.4.1, not stripped |
Trying to execute the LSB executable file.. Looks like this file is asking for password
Quote:
| level1@blackbox:~$ ./login2 Username: Password: Invalid username or password |
I know the password is hidden somewhere in the file. So I've ran gdb to see the content of the file. (Actually there is other easy way to get the hidden message, but I wanted to learn how to use gdb in order to get this message)
Quote:
| level1@blackbox:~$ gdb ./login2 GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". |
To view the assembly code for the function "main"
Quote:
| (gdb) disassemble main Dump of assembler code for function main: 0x0804827a <main+0>: lea 0x4(%esp),%ecx 0x0804827e <main+4>: and $0xfffffff0,%esp 0x08048281 <main+7>: pushl 0xfffffffc(%ecx) 0x08048284 <main+10>: push %ebp 0x08048285 <main+11>: mov %esp,%ebp 0x08048287 <main+13>: push %ebx 0x08048288 <main+14>: push %ecx 0x08048289 <main+15>: sub $0x30,%esp 0x0804828c <main+18>: lea 0xfffffff4(%ebp),%eax 0x0804828f <main+21>: mov %eax,(%esp) 0x08048292 <main+24>: call 0x8072ec0 <_ZNSsC1Ev> 0x08048297 <main+29>: lea 0xfffffff0(%ebp),%eax 0x0804829a <main+32>: mov %eax,(%esp) 0x0804829d <main+35>: call 0x8072ec0 <_ZNSsC1Ev> 0x080482a2 <main+40>: movl $0x80ffe48,0x4(%esp) 0x080482aa <main+48>: movl $0x8130f60,(%esp) 0x080482b1 <main+55>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc> 0x080482b6 <main+60>: lea 0xfffffff4(%ebp),%eax 0x080482b9 <main+63>: mov %eax,0x4(%esp) 0x080482bd <main+67>: movl $0x8130ec0,(%esp) 0x080482c4 <main+74>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_ istreamIT_T0_ES7_RSbIS4_S5_T1_E> 0x080482c9 <main+79>: movl $0x80ffe53,0x4(%esp) 0x080482d1 <main+87>: movl $0x8130f60,(%esp) 0x080482d8 <main+94>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc> 0x080482dd <main+99>: lea 0xfffffff0(%ebp),%eax 0x080482e0 <main+102>: mov %eax,0x4(%esp) 0x080482e4 <main+106>: movl $0x8130ec0,(%esp) 0x080482eb <main+113>: call 0x806b2e0 <_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_ istreamIT_T0_ES7_RSbIS4_S5_T1_E> 0x080482f0 <main+118>: movl $0x80ffe5e,0x4(%esp) 0x080482f8 <main+126>: lea 0xfffffff4(%ebp),%eax 0x080482fb <main+129>: mov %eax,(%esp) 0x080482fe <main+132>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPK S3_> 0x08048303 <main+137>: xor $0x1,%al 0x08048305 <main+139>: test %al,%al 0x08048307 <main+141>: jne 0x8048328 <main+174> 0x08048309 <main+143>: movl $0x80ffe65,0x4(%esp) 0x08048311 <main+151>: lea 0xfffffff0(%ebp),%eax 0x08048314 <main+154>: mov %eax,(%esp) 0x08048317 <main+157>: call 0x80483ee <_ZSteqIcSt11char_traitsIcESaIcEEbRKSbIT_T0_T1_EPK S3_> 0x0804831c <main+162>: xor $0x1,%al 0x0804831e <main+164>: test %al,%al 0x08048320 <main+166>: jne 0x8048328 <main+174> 0x08048322 <main+168>: movb $0x1,0xffffffe7(%ebp) 0x08048326 <main+172>: jmp 0x804832c <main+178> ---Type <return> to continue, or q <return> to quit--- 0x08048328 <main+174>: movb $0x0,0xffffffe7(%ebp) 0x0804832c <main+178>: movzbl 0xffffffe7(%ebp),%eax 0x08048330 <main+182>: test %al,%al 0x08048332 <main+184>: je 0x8048366 <main+236> 0x08048334 <main+186>: movl $0x80ffe6e,0x4(%esp) 0x0804833c <main+194>: movl $0x8130f60,(%esp) 0x08048343 <main+201>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc> 0x08048348 <main+206>: movl $0x806e0c0,0x4(%esp) 0x08048350 <main+214>: mov %eax,(%esp) 0x08048353 <main+217>: call 0x806bf10 <_ZNSolsEPFRSoS_E> 0x08048358 <main+222>: movl $0x80ffe80,(%esp) 0x0804835f <main+229>: call 0x80b5ab0 <system> 0x08048364 <main+234>: jmp 0x804838a <main+272> 0x08048366 <main+236>: movl $0x80ffe88,0x4(%esp) 0x0804836e <main+244>: movl $0x8130f60,(%esp) 0x08048375 <main+251>: call 0x806d8f0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_E S5_PKc> 0x0804837a <main+256>: movl $0x806e0c0,0x4(%esp) 0x08048382 <main+264>: mov %eax,(%esp) 0x08048385 <main+267>: call 0x806bf10 <_ZNSolsEPFRSoS_E> 0x0804838a <main+272>: lea 0xfffffff0(%ebp),%eax 0x0804838d <main+275>: mov %eax,(%esp) 0x08048390 <main+278>: call 0x8074e40 <_ZNSsD1Ev> 0x08048395 <main+283>: jmp 0x80483ad <main+307> 0x08048397 <main+285>: mov %eax,0xffffffdc(%ebp) 0x0804839a <main+288>: mov 0xffffffdc(%ebp),%ebx 0x0804839d <main+291>: lea 0xfffffff0(%ebp),%eax 0x080483a0 <main+294>: mov %eax,(%esp) 0x080483a3 <main+297>: call 0x8074e40 <_ZNSsD1Ev> 0x080483a8 <main+302>: mov %ebx,0xffffffdc(%ebp) 0x080483ab <main+305>: jmp 0x80483c5 <main+331> 0x080483ad <main+307>: lea 0xfffffff4(%ebp),%eax 0x080483b0 <main+310>: mov %eax,(%esp) 0x080483b3 <main+313>: call 0x8074e40 <_ZNSsD1Ev> 0x080483b8 <main+318>: mov $0x0,%eax 0x080483bd <main+323>: mov %eax,0xffffffe0(%ebp) 0x080483c0 <main+326>: jmp 0x80483e1 <main+359> 0x080483c2 <main+328>: mov %eax,0xffffffdc(%ebp) 0x080483c5 <main+331>: mov 0xffffffdc(%ebp),%ebx 0x080483c8 <main+334>: lea 0xfffffff4(%ebp),%eax 0x080483cb <main+337>: mov %eax,(%esp) 0x080483ce <main+340>: call 0x8074e40 <_ZNSsD1Ev> 0x080483d3 <main+345>: mov %ebx,0xffffffdc(%ebp) 0x080483d6 <main+348>: mov 0xffffffdc(%ebp),%eax 0x080483d9 <main+351>: mov %eax,(%esp) 0x080483dc <main+354>: call 0x80a5180 <_Unwind_Resume> ---Type <return> to continue, or q <return> to quit--- 0x080483e1 <main+359>: mov 0xffffffe0(%ebp),%eax 0x080483e4 <main+362>: add $0x30,%esp 0x080483e7 <main+365>: pop %ecx 0x080483e8 <main+366>: pop %ebx 0x080483e9 <main+367>: pop %ebp 0x080483ea <main+368>: lea 0xfffffffc(%ecx),%esp 0x080483ed <main+371>: ret End of assembler dump. (gdb) |
I'm stuck at this
. Which instruction should I look at in order to find the hidden message?
