[wazari972]

I played the game another way, without reverse engineering but with execution tricks:

> https://gist.github.com/kpouget/d13b6328dd6ad8489affb3d24ad8...

1/ a simple GDB.py trick: `make debug` (passme.py ) 2/ a not-so-easy-in-the-end LD_PRELOAD trick: `make run` (passme.c)

[invalid_name]

Mind asking a few things? What's the purpose of this line

  void *call_addr = (void *)CHECKSUM_CALL_ADDR;

to then casting the rvalue to a double void pointer here:

  void **target = (void **)CHECKSUM_CALL_ADDR; 

(why not just void*) ? Also, even though mprotect() succeeds, I got a segfault.

[wazari972]

> Mind asking a few things?

sure! nothing and nothing ;-) they were just leads I was trying. `target` was for:

    void **target; *target = *mov_addr; // move sizeof((void *) bits

I've updated the gist.

> Also, even though mprotect() succeeds, I got a segfault.

try in GDB something like:

    (gdb) disassemble main
    ...
    0x00000000004005dd <+64>:	mov    %rax,%rdi
    0x00000000004005e0 <+67>:	callq  0x400566 <checksum>
    0x00000000004005e5 <+72>:	mov    %rax,-0x8(%rbp)
    0x00000000004005e9 <+76>:	cmpq   $0xad4,-0x8(%rbp)
    ....
    (gdb) break passme.c:62
    (gdb) continue # should ends up *after* the memcpy
    (gdb) disassemble main
    ...
    0x00000000004005dd <+64>:	mov    %rax,%rdi
    0x00000000004005e0 <+67>:	movl   $0xad4,-0x8(%rbp)
    0x00000000004005e7 <+74>:	nop
    0x00000000004005e8 <+75>:	nop
    0x00000000004005e9 <+76>:	cmpq   $0xad4,-0x8(%rbp)

and in both disassemblies, look around 0x4005e0 (<main+67>) to see how instructions have been overwritten. In the second disassembly, if you see strange-looking instructions (eg clc), there was a problem with the copy / the instruction copied. Let me know !