Overview
Hack/Unlock the ‘Tower of Hanoi’ game provided. To this end, you must reverse engineer the binary code provided, analyse what it does and extract the appropriate information.
2. Identify software flaws and mitigate against them by writing safe and reliable software.
Part 1: Hack the Tower of Hanoi game
Each student is provided with a different Linux binary file. This binary file runs only on Linux and contains a well-known mathematical game / puzzle called ‘The Tower of Hanoi’. The game is developed in the C programming language. To play the game you need to type a valid username and password which are unknown. Your task is to extract the username and password and thus unlock the game. To this end, you must reverse engineer the binary file provided, analyse what it does and extract the
information needed. You are expected to use ‘gdb’ debugger, as you did in the ‘bomb’ lab session.
1. Extract the username. Justify the procedure followed. Provide the gdb commands used to extract the username.
2. Extract the password. Justify the procedure followed. Provide the gdb commands used to extract the username.
3. Unlock the next level of the game. Justify the procedure followed. Provide the gdb commands used to extract the username. Hint #1: the input is stored as an array of characters (1 byte each). Hint #2: In the beginning of encrypt_phase2(), the values $0x236b6f23 and $0x236b23 refer to ASCII characters
Part 2: Identify software flaws and mitigate against them by writing safe and reliable software.
You are provided with the following C code. This code contains ‘password()’ routine which includes serious software vulnerabilities. Identify its software flaws and rewrite ‘password’ function in order to mitigate against these software vulnerabilities. The marking criteria are as follows:
1. Have you mitigated against buffer overflows?
2. Have you mitigated against invalid inputs, e.g., characters and symbols instead of numbers?
#include
void password();
int main() {
password();
return 0;
}
void password(){
int number;
printf(“PLEASE ENTER YOUR PASSWORD \n”);
while (1){
if((scanf(“%d”,&number)) != 1){
printf(“wrong input\n”);
}
else {
if (number==999){
printf(“\n—-PASSWORD IS CORRECT—–\n\n”);
break;
}
Else
printf(“\nPlease enter a valid password (integer)\n”);
}
}
}
Submission Details
1. A ‘.docx’ file for part1.
2. A ‘.c’ file with the safe version of ‘secure_code.c’ and its generated binary file for part2 (the binary file must run in Linux).