"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
Step 1 - What do you need a. A Linux Distribution (For example I used Ubuntu 7.10 under VMware Workstation) b. Boomerang Decompiler
Official Description: A general, open source, retargetable decompiler of machine code programs
Download from: http://boomerang.sourceforge.net/ c. Evan's Debugger
Official Description: A debugger which is as functional and usable as OllyDbg but for Linux
Download from: http://www.codef00.com/
Step 2 - Understanding the program
Download it in Boomerang's directory:
It says "Can't open.". Strange.
Let's decompile and try to understand it better.
# ./boomerang app20
Now analyze the output files. Try to understand the basics of the code. There's a main function and a strange complex mathematical one.
Each starts with an address which you'll copy in some other file temp.txt for easier later use. So now you got two addresses of two functions and a basic understanding of the program. Go to the next step.
Step 3 - Prepare
If you skipped the last step you won't be able to do this one.
Step 4 - The Fun Part
Open Evan's Debugger, configure the symbols/plugins directories if needed and set the initial breakpoint to the application entry point. Open app20 with the debugger and press F9 to start the application. It automatically breaks after initialization. Right click, select Goto Address, paste the address of the main function and put a break on it. Then do the same for the mathematical function. Continue the run of the program with F9 until it ends. You will notice that it didn't even call the mathematical function. Reload it, start it, put the same two breakpoints but this time look in the main function until you find the location where the mathematical function is called. Don't forget to also note the address of this call in temp.txt
You might need it if you fail from the first try.
What you found looks like this:
[...] call ADDRESS
You need to force the program to make that call.
What I did was simply right clicking on CODE :
, selected Edit Bytes, copied the Hex stuff, then right clicked on CODE :
, again selected Edit Bytes and pasted the Hex stuff from the previous command. It now looked like this:
[...] call ADDRESS
Now just keep clicking F9 until the program is finished and check its output. You got a password! Modify it a bit and finish the level.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 15 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.