Cracking

I’m trying to debug the challenge 9 (ARM code) from my Linux machine. The beginning of the code is as follows :

.text:00008290 MOV R12, SP
.text:00008294 STMFD SP !, R4,R11,R12,LR,PC
.text:00008298 SUB R11, R12, #4
.text:0000829C SUB SP, SP, #0x24
.text:000082A0 STR R0, [R11,#var_28]
.text:000082A4 STR R1, [R11,#var_2C]
.text:000082A8 LDR R3, [R11,#var_28]
.text:000082AC CMP R3, #1 ; Check whether arg has been provided
.text:000082B0 BGT loc_82C0 ; Jump to 0x82C0 if arg provided
.text:000082B4 MOV R3, #0xFFFFFFFF
.text:000082B8 STR R3, [R11,#var_30]
.text:000082BC B loc_8448

As you can see, if arg is provided, the code jumps to 0x82C0 but I can’t find a way to run the code with the argument.

To debug it, I’m using a server/client architecture on my Linux machine as follows :

1st terminal window :

$ qemu-arm -g 1234 ./chall9.bin

2nd terminal window :

$ gdb-multiarch
(gdb) file chall9.bin
Reading symbols from /data/malware/chall9.bin...done.
(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
[New Remote target]
[Switching to Remote target]
0x00008150 in _start ()
(gdb) break *0x82b0
Breakpoint 1 at 0x82b0
(gdb) set args 12345
(gdb) show args
Argument list to give program being debugged when it is started is "12345".
(gdb) r
The "remote" target does not support "run". Try "help target" or "continue".
(gdb) c
Continuing.

Breakpoint 1, 0x000082b0 in main ()
(gdb) x /12i $pc
=> 0x82b0

It seems that my arguments are not taken because the code should normally jump to 0x82c0 but it jumps to 0x82b4.

Any idea ? Thank you in advance for your inputs.

Found ! Arg should be passed to qemu as follows :

$ qemu-arm -g 1234 ./chall9.bin 12345