1.打開源碼
打開源碼
1 #include <stdio.h> 2 #include <string.h> 3 4 int main(int argc, char *argv[]) { 5 if (argc != 4) { 6 printf("what?\n"); 7 exit(1); 8 } 9 10 unsigned int first = atoi(argv[1]); 11 if (first != 0xcafe) { 12 printf("you are wrong, sorry.\n"); 13 exit(2); 14 } 15 16 unsigned int second = atoi(argv[2]); 17 if (second % 5 == 3 || second % 17 != 8) { 18 printf("ha, you won't get it!\n"); 19 exit(3); 20 } 21 22 if (strcmp("h4cky0u", argv[3])) { 23 printf("so close, dude!\n"); 24 exit(4); 25 } 26 27 printf("Brr wrrr grr\n"); 28 29 unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; 30 31 printf("Get your key: "); 32 printf("%x\n", hash); 33 34 return 0; 35 }
2. 分析
很明顯,第29行計算flag,第32行代碼輸出十六進制形式。第29行代碼就是利用argv[1]~argv[3]的數據進行計算。
2.1 argv[1]
if (first != 0xcafe) { printf("you are wrong, sorry.\n"); exit(2); }
不等於0xcafe就退出,那first=0xcafe
2.2 argv[2]
if (second % 5 == 3 || second % 17 != 8) { printf("ha, you won't get it!\n"); exit(3); }
滿足if條件就退出,我想到第一個不滿足的數就是25,second = 25
2.3 argv[3]
if (strcmp("h4cky0u", argv[3])) { printf("so close, dude!\n"); exit(4); }
相等strcmp返回0,退出if條件,那argv[3]=“h4cky0u”
3.get flag!
綜上,寫出解flag代碼
#include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { int first = 0xcafe; int second = 25; argv[3] = "h4cky0u"; printf("Brr wrrr grr\n"); unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; printf("Get your key: "); printf("%x\n", hash); system("PAUSE"); return 0; }
