In this level, I have only one executable file. I will instantly see what it does with gdb.
disas main
Dump of assembler code for function main:
0x0804858c <+0>: push %ebp
0x0804858d <+1>: mov %esp,%ebp
0x0804858f <+3>: and $0xfffffff0,%esp
0x08048592 <+6>: sub $0x10,%esp
0x08048595 <+9>: call 0x8048380 <getuid@plt>
0x0804859a <+14>: cmp $0x1092,%eax
0x0804859f <+19>: je 0x80485cb <main+63>
0x080485a1 <+21>: call 0x8048380 <getuid@plt>
0x080485a6 <+26>: mov $0x80486c8,%edx
0x080485ab <+31>: movl $0x1092,0x8(%esp)
0x080485b3 <+39>: mov %eax,0x4(%esp)
0x080485b7 <+43>: mov %edx,(%esp)
0x080485ba <+46>: call 0x8048360 <printf@plt>
0x080485bf <+51>: movl $0x1,(%esp)
0x080485c6 <+58>: call 0x80483a0 <exit@plt>
0x080485cb <+63>: movl $0x80486ef,(%esp)
0x080485d2 <+70>: call 0x8048474 <ft_des>
0x080485d7 <+75>: mov $0x8048709,%edx
0x080485dc <+80>: mov %eax,0x4(%esp)
0x080485e0 <+84>: mov %edx,(%esp)
0x080485e3 <+87>: call 0x8048360 <printf@plt>
0x080485e8 <+92>: leave
0x080485e9 <+93>: ret
x/s 0x80486ef
0x80486ef: "boe]!ai0FB@.:|L6l@A?>qJ}I"Perfect, this value seems to be a flag! I will force the program to pass the condition at line 14.
(gdb) b *0x08048595
Breakpoint 1 at 0x8048595
r
Starting program: /home/user/level13/level13
Breakpoint 1, 0x08048595 in main ()
(gdb) set $eax=4242
(gdb) n
Single stepping until exit from function main,
which has no line number information.
your token is 2A31L79asukciNyi8uppkEuSx
0xb7e454d3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6To understand what I did, $eax is the register used to store the return value of functions. Here, I forced the program to think that getuid() returned `4242.