Hacking Series Part 7
Category: reverse engineering
We are given a binary named “vuln” and told to find the last integer value passed to the function
doNothing, this number serves as the flag. The first thing I did was open vuln in IDA, and saw that the program was very small with only two main areas to pay attention to. The first area is four function calls to
_fork , and the second is the
doNothing function mentioned before.
Since we now know the context of the program, by “last integer value” I assumed that we needed to find the last integer passed to
doNothing in the last fork. To do this, I made the binary executable and opened it in gdb. I then added a breakpoint at the address of
fork with the command
b fork@plt .
Since the function is called four times in the program, I used
continue until I reached the last call to
fork. In order to view the integer that is in the last fork, we have to attach to the child process it spawns so that we can continue running only that process until we reach
Now we need to add another breakpoint somewhere in or around
doNothing to see the integer sent as a parameter. First, we need to determine exactly how many parameters this function takes in the first place. Looking at the IDA view of this function, it seems like it takes only one parameter, called
Since there is only one argument, the integer we need must be stored there. In the image above, there is a line that makes it really easy to find the integer:
mov eax, [ebp+arg_0]
We know for sure that after this line, the integer passed to
doNothing will be stored in
eax. So, after this line is an ideal place to add another breakpoint in gdb. To do this, I first looked at the equivalent assembly of
doNothing in gdb.
The ideal place to add a breakpoint is at address
0x56555560 , since it comes after the
mov instruction to
eax. I set the breakpoint in gdb using the command
b *0x56555560 , then continued execution. As expected, the program hit the breakpoint, so the only thing to do now is look inside
The address of the integer is what is truly stored in
eax, but the integer that it holds is shown right beside it. The last integer value passed to
doNothing is -721750240.