攻防世界 Reverse open-source
1.查看源代码
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
unsigned int first = atoi(argv[1]);//0xcafe
if (first != 0xcafe) {
printf("you are wrong, sorry.\n");
exit(2);
}
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
printf("ha, you won't get it!\n");
exit(3);
}
if (strcmp("h4cky0u", argv[3])) {
printf("so close, dude!\n");
exit(4);
}
printf("Brr wrrr grr\n");
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
printf("Get your key: ");
printf("%x\n", hash);
return 0;
}
- 是c的源代码
2.代码分析
- 29行会算出flag
- 那么我们只要让函数顺利执行到29行即可
1.first
if (first != 0xcafe) {
printf("you are wrong, sorry.\n");
exit(2);
}
- 让first=0xcafe即可
2.second
if (second % 5 == 3 || second % 17 != 8) {
printf("ha, you won't get it!\n");
exit(3);
}
- 看不出来可以直接去跑一下
- 执行代码
for(int second = 0;;second++){
if(!(second % 5 == 3 || second % 17 != 8)){
printf("%d",second);
break;
}
}
- 得到second是25
3.argv[3]
if (strcmp("h4cky0u", argv[3])) {
printf("so close, dude!\n");
exit(4);
}
- 让argv[3]="h4cky0u"即可
3.重新编写代码
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
unsigned int first = 0xcafe;
unsigned int second = 25;
argv[3] = "h4cky0u";
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
printf("Get your key: ");
printf("%x\n", hash);
return 0;
}
- 编译运行得到flag
Get your key: c0ffee
--------------------------------
Process exited after 0.04379 seconds with return value 0
请按任意键继续. .