Solution 2: Bruteforce powered by GEF and unicorn-engine

Another way to solve this is to brute-force the password. Since there’s a reasonable amount of valid PINs (10000, to be specific) this wouldn't take too long.

We can emulate the function that checks each digit testing every combination until we get the expected state at the end.

This can be done with ease using the GEF functionality for emulation that generates a unicorn python script we can then modify and adapt for our purposes.

# 1 - step through the code in gdb

# 2 - reach the start of the check function

# in my case the function starts at 0x555555555269

# and ends at 0x555555555328

# 3 - use the GEF emu command:

emu -t 0x0000555555555328 -s -o emu.py

The command above will generate an emulation template for us. We will need to modify it slightly in order to make the emulation run for each possible PIN code until it finds the correct answer.

We can use python’s itertools, to generate the pins and repeat the process until we get rax=1 at the end of an emulation run.

Here we can see the whole thing took around 7 minutes to complete. It’s not the most efficient method in the world but it gets the job done. There are certainly a lot of tweaks we could do to make it more performant if needed.