攻防世界 Reverse open-source

• 1.查看源代码
• 2.代码分析
• • 1.first
  • 2.second
  • 3.argv[3]
• 3.重新编写代码

1.查看源代码

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    

    unsigned int first = atoi(argv[1]);//0xcafe
    if (first != 0xcafe) {
    	printf("you are wrong, sorry.\n");
    	exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

• 是c的源代码

2.代码分析

• 29行会算出flag
• 那么我们只要让函数顺利执行到29行即可

1.first

if (first != 0xcafe) {
	printf("you are wrong, sorry.\n");
	exit(2);
}

• 让first=0xcafe即可

2.second

if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }

• 看不出来可以直接去跑一下
• 执行代码

for(int second = 0;;second++){
		if(!(second % 5 == 3 || second % 17 != 8)){
            printf("%d",second);
            break;
        }
	}

• 得到second是25

3.argv[3]

if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }

• 让argv[3]="h4cky0u"即可

3.重新编写代码

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    unsigned int first = 0xcafe;

    unsigned int second = 25;

	argv[3] = "h4cky0u";


    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

• 编译运行得到flag

Get your key: c0ffee

--------------------------------
Process exited after 0.04379 seconds with return value 0
请按任意键继续. .