docs(lvl13): adding the readme

2026-01-28 02:49:20 +01:00 · 2026-01-28 02:49:20 +01:00 · fefcf8fcd1
commit fefcf8fcd1
parent 1bf9c83d06
1 changed files with 88 additions and 0 deletions
--- a/level13/README.md
+++ b/level13/README.md
@ -0,0 +1,88 @@
+Lors de l'arriver sur le level13 je remarque le fichier level13
+
+```bash
+ls -l level13
+-rwsr-sr-x 1 flag13 level13 7303 Aug 30  2015 level13
+```
+
+Et je remarque egallement que c'est du C
+```c
+ltrace ./level13
+__libc_start_main(0x804858c, 1, 0xbffff7f4, 0x80485f0, 0x8048660 <unfinished ...>
+getuid()                                                                  = 2013
+getuid()                                                                  = 2013
+printf("UID %d started us but we we expe"..., 2013UID 2013 started us but we we expect 4242
+)                       = 42
+exit(1 <unfinished ...>
+++ exited (status 1) +++
+
+```
+
+en le lancant (plus proprement), il attente l'UID 4242
+```bash
+level13@SnowCrash:~$ ./level13
+UID 2013 started us but we we expect 4242
+```
+
+Voici le code de la fonction main
+```asm
+0804858c <main>:
+ 804858c:	55                   	push   ebp
+ 804858d:	89 e5                	mov    ebp,esp
+ 804858f:	83 e4 f0             	and    esp,0xfffffff0
+ 8048592:	83 ec 10             	sub    esp,0x10
+ 8048595:	e8 e6 fd ff ff       	call   8048380 <getuid@plt>
+ 804859a:	3d 92 10 00 00       	cmp    eax,0x1092
+ 804859f:	74 2a                	je     80485cb <main+0x3f>
+ 80485a1:	e8 da fd ff ff       	call   8048380 <getuid@plt>
+ 80485a6:	ba c8 86 04 08       	mov    edx,0x80486c8
+ 80485ab:	c7 44 24 08 92 10 00 	mov    DWORD PTR [esp+0x8],0x1092
+ 80485b2:	00
+ 80485b3:	89 44 24 04          	mov    DWORD PTR [esp+0x4],eax
+ 80485b7:	89 14 24             	mov    DWORD PTR [esp],edx
+ 80485ba:	e8 a1 fd ff ff       	call   8048360 <printf@plt>
+ 80485bf:	c7 04 24 01 00 00 00 	mov    DWORD PTR [esp],0x1
+ 80485c6:	e8 d5 fd ff ff       	call   80483a0 <exit@plt>
+ 80485cb:	c7 04 24 ef 86 04 08 	mov    DWORD PTR [esp],0x80486ef
+ 80485d2:	e8 9d fe ff ff       	call   8048474 <ft_des>
+ 80485d7:	ba 09 87 04 08       	mov    edx,0x8048709
+ 80485dc:	89 44 24 04          	mov    DWORD PTR [esp+0x4],eax
+ 80485e0:	89 14 24             	mov    DWORD PTR [esp],edx
+ 80485e3:	e8 78 fd ff ff       	call   8048360 <printf@plt>
+ 80485e8:	c9                   	leave
+ 80485e9:	c3                   	ret
+ 80485ea:	90                   	nop
+ 80485eb:	90                   	nop
+ 80485ec:	90                   	nop
+ 80485ed:	90                   	nop
+ 80485ee:	90                   	nop
+ 80485ef:	90                   	nop
+```
+
+Notamment cette ligne (7) qui vas nous interesser
+```asm
+804859a:    cmp    eax,0x1092
+```
+
+0x1092 = 0d4242
+il suffit de changer la valeur de notre uid lors de la comparaison (a l'aide de gdb)
+```asm
+(gdb) b main
+Breakpoint 1 at 0x804858f
+(gdb) b *0x804859a
+Breakpoint 2 at 0x804859a
+(gdb) r
+Starting program: /home/user/level13/level13
+
+Breakpoint 1, 0x0804858f in main ()
+(gdb) s
+Single stepping until exit from function main,
+which has no line number information.
+
+Breakpoint 2, 0x0804859a in main ()
+(gdb) set $eax=0x1092
+(gdb) c
+Continuing.
+your token is 2A31L79asukciNyi8uppkEuSx
+[Inferior 1 (process 2288) exited with code 050]
+```