42_Override/level06/ressources/exploit.c

#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ptrace.h>

bool auth(char *s, int serial)
{
	int key;
	int len;

	s[strcspn(s, "\n")] = 0;
	len = strnlen(s, 32);
	if (len <= 5)
		return 1;
	if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) {
		puts("\x1B[32m.---------------------------.");
		puts("\x1B[31m| !! TAMPERING DETECTED !!  |");
		puts("\x1B[32m'---------------------------'");
		return 1;
	}
	key = (s[3] ^ 4919) + 6221293;
	for (int i = 0; i < len; ++i) {
		if (s[i] <= 31)
			return 1;
		key += (key ^ (unsigned int)s[i]) % 1337;
	}
	// Here is the exploit
	printf("key: %d\n", key);
	return serial != key;
}

int main(void)
{
	int serial;
	char s[28];

	puts("***********************************");
	puts("*\t\tlevel06\t\t  *");
	puts("***********************************");
	printf("-> Enter Login: ");
	fgets(s, 32, stdin);
	puts("***********************************");
	puts("***** NEW ACCOUNT DETECTED ********");
	puts("***********************************");
	printf("-> Enter Serial: ");
	scanf("%d", &serial);
	if (auth(s, serial))
		return 1;
	puts("Authenticated!");
	system("/bin/sh");
	return 0;
}