-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsource.c
126 lines (106 loc) · 2.78 KB
/
source.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// gcc -m32 source.c
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <sys/ptrace.h>
void clear_stdin()
{
int c = 0; // -0xc(%ebp)
while (1)
{
c = getchar();
if (c == '\n' || c == 0xff)
break;
}
}
unsigned int get_unum()
{
unsigned int unum = 0; // -0xc(%ebp)
fflush(stdout);
scanf("%u", &unum);
clear_stdin();
return unum;
}
// Slightly incorrect, but whatever
void prog_timeout()
{
exit(1); // Supposed to be a system call but cannot reproduce
}
void enable_timeout_cons()
{
signal(SIGALRM, prog_timeout);
alarm(60);
}
// any above functions are useless
/*
Missing optimizations in assembly:
0x0804877d <+53>: push %eax
0x0804877e <+54>: xor %eax,%eax
0x08048780 <+56>: je 0x8048785 <auth+61>
0x08048782 <+58>: add $0x4,%esp
0x08048785 <+61>: pop %eax
It doesnt change the behavior at all and idk how to reproduce it
*/
int auth(char *login, unsigned int serial)
{
int i; // -0x14(%ebp)
int hash; // -0x10(%ebp)
int login_len; // -0xc(%ebp)
login[strcspn(login, "\n")] = 0;
login_len = strnlen(login, 32);
if (login_len <= 5)
return 1;
if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1)
{
puts("\x1B[32m.---------------------------.");
puts("\x1B[31m| !! TAMPERING DETECTED !! |");
puts("\x1B[32m'---------------------------'");
return 1;
}
hash = (login[3] ^ 4919) + 6221293;
for (i = 0; i < login_len; i++)
{
if (login[i] <= 31)
return 1;
hash += (hash ^ (unsigned int)login[i]) % 0x539;
}
if (serial != hash)
return 1;
return 0;
}
/*
Missing optimizations in assembly:
0x08048895 <+28>: push %eax
0x08048896 <+29>: xor %eax,%eax
0x08048898 <+31>: je 0x804889d <main+36>
0x0804889a <+33>: add $0x4,%esp
0x0804889d <+36>: pop %eax
Aswell as multiple slight differences with different registers for optimization
It doesnt change the behavior at all and idk how to reproduce it
*/
int main()
{
int padding[4]; // 0x18(%esp)
unsigned int serial; // 0x28(%esp)
char login[32]; // 0x2c(%esp)
puts("***********************************");
puts("*\t\tlevel06\t\t *");
puts("***********************************");
printf("-> Enter Login: ");
fgets(login, 32, stdin);
puts("***********************************");
puts("***** NEW ACCOUNT DETECTED ********");
puts("***********************************");
printf("-> Enter Serial: ");
scanf("%u", &serial);
if (!auth(login, serial))
{
puts("Authenticated!");
system("/bin/sh");
return 0;
}
else
return 1;
}