| Yeah actually, pretty easy to bypass the verification first place.
SPOILER !!
I did it pretty quickly so i don't know all the algo behind it, but, first, lets just do:
~$ strings ./adventure
We can see some strings, and also some called functions wrote in plain text.
And we can note the use of "strlen" and "strncmp"
Then it check if the argv length is 5 (expecting "hello"). // Here is the use of STRLEN function
Then, we can see, it check if the string is good with "strncmp" function, but i don't know what with, and i will see later. (I'm at work, so, no time to go deep)
We can also see that the "strncmp" func it's call at least 2 times when we run the bin in GDB or something.
I try to rewrite the STRNCMP function and inject it, so:
https://linux.die.net/man/3/strncmp
int strncmp(char *str1, char *str2, size_t size) { return 0; }
Compile with GCC, Inject it with LD_PRELOAD, and Then:
~$ LD_PRELOAD=./i_adventure.so ./adventure 12345
Friendly greetings to you, hacker from another world !
So, why are you here ? : whatever_you_want_it_wont_verify_it
whatever_you_want_it_wont_verify_it ? good, good, welcome to the guild hall!
|
==> |