![9d138c41411bd864f9bd54d66e55c1fe.png](f8eef74595584919a37dad980062125b.png)
Running the program:
![227420ef8f16712ad4066bdcfea1382b.png](1dc636074b25470995d38c4cb006ebdb.png)
Let's fire up gdb
`gdb ./sleighbell-lotto`
`disas main`
![92e32fafff4c90621c286d6c31906327.png](6be427e1663a4f08b042c1aee566b0f7.png)
Looks like it picks a random number and compares it to the winning number. If they're the same, it jumps to the 'winnerwinner' function, if not, it jumps to the 'sorry' function.
Let's set a breakpoint on the compare call and do some digging
![ae6b0938c2037242c3bf7ea47e0bdaee.png](f06bf846a2a8499d872b914b59b29463.png)
`r`
Once the program has stopped on the breakpoint, we're going to peek at the registers
`info registers`
![e9043c2b59ffaaf544596d85cfb81a3e.png](f6a81fc3da094a47be3cba035bcc7448.png)
So we can see where `rip` is pointing. We can follow that through the code and see that it will end up at the 'sorry' function. Let's change that to point to the win function and see what happens
`set variable $rip = 0x0000555555555590`
`c`
![349f3073ca24795c2787244d4ef75c4d.png](b0bd2c4dd6b942e1bdfb6b8ce8323161.png)
So by modifying the instruction pointer, we can jump directly to the win function!
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #reverse_engineering #gdb
Related: