0
点赞
收藏
分享

微信扫一扫

攻防世界 Reverse open-source

SPEIKE 2022-03-11 阅读 66

攻防世界 Reverse open-source

1.查看源代码

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    

    unsigned int first = atoi(argv[1]);//0xcafe
    if (first != 0xcafe) {
    	printf("you are wrong, sorry.\n");
    	exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}
  • 是c的源代码

2.代码分析

  • 29行会算出flag
  • 那么我们只要让函数顺利执行到29行即可

1.first

if (first != 0xcafe) {
	printf("you are wrong, sorry.\n");
	exit(2);
}
  • 让first=0xcafe即可

2.second

if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }
  • 看不出来可以直接去跑一下
  • 执行代码
for(int second = 0;;second++){
		if(!(second % 5 == 3 || second % 17 != 8)){
            printf("%d",second);
            break;
        }
	}
  • 得到second是25

3.argv[3]

if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }
  • 让argv[3]="h4cky0u"即可

3.重新编写代码

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    unsigned int first = 0xcafe;

    unsigned int second = 25;

	argv[3] = "h4cky0u";


    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}
  • 编译运行得到flag
Get your key: c0ffee

--------------------------------
Process exited after 0.04379 seconds with return value 0
请按任意键继续. .
举报

相关推荐

0 条评论