Lets see info about what is inside with general tools ```text objdump --debugging ./mycrk ``` ```text readelf --debug-dump=line ``` ```text nm -a ./mycrk ``` Okey checked and havent found nothing interesting. There was hope to find some nice string that could look like key. ... but there was no candidates for such string. Only way now is too see disassembly if there is something interesting. Lets use objdump for that. Should be enought of objdump as its just 1 level. ```text objdump -d ./mycrk ``` Okey we know that there is printed out first message and then we type in our key. First _printf_ is for string and then _scanf_ definetly to read our input. ```text 80483f1: e8 ee fe ff ff call 80482e4 80483f6: 83 c4 10 add $0x10,%esp 80483f9: 83 ec 08 sub $0x8,%esp 80483fc: 8d 45 f4 lea -0xc(%ebp),%eax 80483ff: 50 push %eax 8048400: 68 22 85 04 08 push $0x8048522 8048405: e8 ba fe ff ff call 80482c4 804840a: 83 c4 10 add $0x10,%esp 804840d: 8b 45 f8 mov -0x8(%ebp),%eax 8048410: 3b 45 f4 cmp -0xc(%ebp),%eax 8048413: 75 1d jne 8048432 ``` _scanf_ has somekind of params at address 0x8048522. Lets check what it have ... and its "%d " ha then its _scanf("%d ",(int))_ then it reads integer we can assume that key are numbers only. In format string _%d_ is signed number but who cares. And asume most easy task that it just compare with some number with are our searched key. Lets put breakpoint at 0x80483f6 ```text (gdb)break *0x80483f6 ``` and step instruction by instruction. That _%eax=%ebp-0x8_ is decision to validate key and one of the values are our own second is 0x5b1270 lets do small translation and ... int(0x5b1270) = 5968496 ```text ;at this point happends comparison for if input value is valid or not ; something like ; if scanf("%d",stdin) == cd_key 804840d: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 8048410: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc] ``` ## Notes __break *0x000__ breakpoint on address __x/i $pc__ print current position instruction __p $eflags__ print eflags __p $eax__ print register EAX values