This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the key. If not, it tells you the key is wrong. The key is stored byte-by-byte in the program and is assembled dynamically during runtime. After assembly, it compares the supplied password with the one on its stack.
import struct, sys def main(): stack_dump = [0x38343664, 0x39366537, 0x64386562, 0x00313538] ans = "" for i in stack_dump: ans += struct.pack("I", i) sys.stdout.write(ans) if __name__ == "__main__": main()
Running this on our local machine:
amon@Alyx:~/cscamp/exp100$ ./level100 useage : ./level100 amon@Alyx:~/cscamp/exp100$ ./level100 wrongkey Wrong key, try harder amon@Alyx:~/cscamp/exp100$ ./level100 `python solvee100.py` Congratulation, let me grab you content of key.txt cat: ./key.txt: No such file or directory amon@Alyx:~/cscamp/exp100$