level1

putty로 접속

ssh level1@io.smashthestack.org

password: level1

level1@io:~$ cd /levels

level1@io:/levels$ gdb -q level01

Reading symbols from /levels/level01...(no debugging symbols found)...done.

(gdb) disas main

Dump of assembler code for function main:

   0x08048080 <+0>:     push   $0x8049128

   0x08048085 <+5>:     call   0x804810f <puts>

   0x0804808a <+10>:    call   0x804809f <fscanf>

   0x0804808f <+15>:    cmp    $0x10f,%eax

   0x08048094 <+20>:    je     0x80480dc <YouWin>

   0x0804809a <+26>:    call   0x8048103 <exit>

End of assembler dump.

(gdb) b *main+15

Breakpoint 1 at 0x804808f

(gdb) r

Starting program: /levels/level01

Enter the 3 digit passcode to enter: 123 <-- 123을 입력해보았다.

Breakpoint 1, 0x0804808f in main ()

(gdb) info reg

eax            0x7b     123    <----- eax에 입력한 값이 hex로 셋팅

ecx            0xbfffed58       -1073746600

edx            0x1000   4096

ebx            0x7b     123

esp            0xbffffd5c       0xbffffd5c

ebp            0x0      0x0

esi            0xbfffed5c       -1073746596

edi            0x0      0

eip            0x804808f        0x804808f <main+15>

eflags         0x282    [ SF IF ]

cs             0x73     115

ss             0x7b     123

ds             0x7b     123

es             0x7b     123

fs             0x0      0

gs             0x0      0

메인함수를 보면 

 0x0804808f <+15>:    cmp    $0x10f,%eax  <--- fscanf의 반환값과 0x10f(271)이랑 비교함

그러므로 271을 입력하면 YouWin함수로 이동.

level1@io:/levels$ ./level01

Enter the 3 digit passcode to enter: 271

Congrats you found it, now read the password for level2 from /home/level2/.pass

sh-4.2$ cat  /home/level2/.pass

hgvbmkQIHavkGg5wyk