root-me:ELF-Fake-Instructions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
disas main
set breakpoint here:
0x80486a4 <main+336>: call edx
when the breakpoint is reached, set breakpoint on the content of edx, that is:
EDX: 0x80486c4 (<WPA>: push ebp)
ni
then
disas WPA
see lines:
0x080486f2 <+46>: mov DWORD PTR [esp],eax
=> 0x080486f5 <+49>: call 0x804847c <strcmp@plt>
0x080486fa <+54>: test eax,eax
0x080486fc <+56>: jne 0x804870f <WPA+75>
set breakpoint at the check: 0x080486fc
then, negate the ZF (you can use my flags util to do it easily: http://dumpz.org/1376235/)
gdb-peda$ flags
O D I T S Z * A * P * C
[ ][ ][X][ ][X][ ][ ][ ][ ][X][X][ ]
gdb-peda$ neg_flag 'Z'
O D I T S Z * A * P * C
[ ][ ][X][ ][X][X][ ][ ][ ][X][X][ ]
gdb-peda$ ni
then continue... and you will see the pass:
gdb-peda$ ni
'+) Authentification réussie...
U'r root!
sh 3.0 # password: liberté!
[Inferior 1 (process 8463) exited normally]