攻防世界--open-source

1.打开源码

打开源码

 1 #include 
 2 #include <string.h>
 3 
 4 int main(int argc, char *argv[]) {
 5     if (argc != 4) {
 6         printf("what?\n");
 7         exit(1);
 8     }
 9 
10     unsigned int first = atoi(argv[1]);
11     if (first != 0xcafe) {
12         printf("you are wrong, sorry.\n");
13         exit(2);
14     }
15 
16     unsigned int second = atoi(argv[2]);
17     if (second % 5 == 3 || second % 17 != 8) {
18         printf("ha, you won't get it!\n");
19         exit(3);
20     }
21 
22     if (strcmp("h4cky0u", argv[3])) {
23         printf("so close, dude!\n");
24         exit(4);
25     }
26 
27     printf("Brr wrrr grr\n");
28 
29     unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
30 
31     printf("Get your key: ");
32     printf("%x\n", hash);
33     
34     return 0;
35 }

 

2. 分析

很明显,第29行计算flag,第32行代码输出十六进制形式。第29行代码就是利用argv[1]~argv[3]的数据进行计算。

 

2.1 argv[1]

    if (first != 0xcafe) {
        printf("you are wrong, sorry.\n");
        exit(2);
    }

不等于0xcafe就退出,那first=0xcafe

 

2.2 argv[2]

    if (second % 5 == 3 || second % 17 != 8) {
        printf("ha, you won't get it!\n");
        exit(3);
    }

满足if条件就退出,我想到第一个不满足的数就是25,second = 25

 

2.3 argv[3]

    if (strcmp("h4cky0u", argv[3])) {
        printf("so close, dude!\n");
        exit(4);
    }

相等strcmp返回0,退出if条件,那argv[3]=“h4cky0u”

 

3.get flag!

综上,写出解flag代码

#include 
#include <string.h>

int main(int argc, char* argv[]) {

    int first = 0xcafe;
    int second = 25;
    argv[3] = "h4cky0u";

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);

    system("PAUSE");
    return 0;
}

攻防世界--open-source_第1张图片

转载于:https://www.cnblogs.com/Mayfly-nymph/p/11391823.html

你可能感兴趣的:(攻防世界--open-source)