Rating: 4.5

This is a Rust binary, which often contains a lot of "junk" code (instructions that aren't relevant to the program logic). However, since the binary is relatively small, we can just use gdb and step through the code, to determine which instructions are actually relevant.

We eventually can identify that the check is performed here. Nothing much to care about, just need to know that the check is done at `cmp edi, [r14 + rsi * 4]`, where `edi` is the correct character, `r14` is the start of our input, and `rsi` is the index. The `rsi * 4` is just because the program converted each byte into a dword earlier.

![cmp](https://cdn.pbrd.co/images/HXq9EZ1.png)

`edi` is read from this part of the stack which was initialized with some values earlier.

![init](https://cdn.pbrd.co/images/HXqa91J.png)

One way to do this is to extract those data from the binary, then perform the same operations to convert them into the flag. Or, one can just script gdb to set a breakpoint at the `cmp` instruction, and print the value of `edi`.

```
gef config context.enable 0
pie break *0x6991
pie run < input

set $i = 0
while($i < 0x22)
printf "%c", $edi
set $i = $i+1
c
end
```