![9d138c41411bd864f9bd54d66e55c1fe.png](f8eef74595584919a37dad980062125b.png) Running the program: ![227420ef8f16712ad4066bdcfea1382b.png](1dc636074b25470995d38c4cb006ebdb.png) Let's fire up gdb `gdb ./sleighbell-lotto` `disas main` ![92e32fafff4c90621c286d6c31906327.png](6be427e1663a4f08b042c1aee566b0f7.png) Looks like it picks a random number and compares it to the winning number. If they're the same, it jumps to the 'winnerwinner' function, if not, it jumps to the 'sorry' function. Let's set a breakpoint on the compare call and do some digging ![ae6b0938c2037242c3bf7ea47e0bdaee.png](f06bf846a2a8499d872b914b59b29463.png) `r` Once the program has stopped on the breakpoint, we're going to peek at the registers `info registers` ![e9043c2b59ffaaf544596d85cfb81a3e.png](f6a81fc3da094a47be3cba035bcc7448.png) So we can see where `rip` is pointing. We can follow that through the code and see that it will end up at the 'sorry' function. Let's change that to point to the win function and see what happens `set variable $rip = 0x0000555555555590` `c` ![349f3073ca24795c2787244d4ef75c4d.png](b0bd2c4dd6b942e1bdfb6b8ce8323161.png) So by modifying the instruction pointer, we can jump directly to the win function! --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #reverse_engineering #gdb Related: