pwnable.kr之random(1)

random.c源码

#include <stdio.h>

int main(){
	unsigned int random;
	random = rand();	// random value!

	unsigned int key=0;
	scanf("%d", &key);

	if( (key ^ random) == 0xdeadbeef ){
		printf("Good!\n");
		system("/bin/cat flag");
		return 0;
	}

	printf("Wrong, maybe you should try 2^32 cases.\n");
	return 0;
}

gdb random调试

图中代码对应源码

if( (key ^ random) == 0xdeadbeef )

分析汇编代码得到:

Scanf()输入值key = eax –> rbp-8

Xor异或值 为 key^random = (rbp-8) ^ (rbp-4)

所以设置断点查看 rbp-4的值就是随机数值random

设置断点位置为执行到0x40062f前,输入测试参数key = 1234

断点执行查看

rbp-8 = key = 1234 = 0x4d2

rbp-4 = random = 0x6b8b4567

计算得到需要输入的key值为

random^0xdeadbeef = 0xB526FB88 = 3039230856

测试通过

您可能还喜欢...