(gdb) disass main
Dump of assembler code for function main:
0x00000000004005f4 <+0>: push %rbp
0x00000000004005f5 <+1>: mov %rsp,%rbp
0x00000000004005f8 <+4>: sub $0x10,%rsp
0x00000000004005fc <+8>: mov $0x0,%eax //随机数种子为0
0x0000000000400601 <+13>: callq 0x400500 <rand@plt>
0x0000000000400606 <+18>: mov %eax,-0x4(%rbp) //生成一个随机数并放在局部变量v1处(int type) (0x6b8b4567 ;1804289383 ;查看一下eax,因为是伪随机数,所以每次随即出来的值都一样 )
0x0000000000400609 <+21>: movl $0x0,-0x8(%rbp) //初始化局部变量v2
0x0000000000400610 <+28>: mov $0x400760,%eax
0x0000000000400615 <+33>: lea -0x8(%rbp),%rdx //把局部变量v2的地址提出
0x0000000000400619 <+37>: mov %rdx,%rsi //并作为源地址, &v2
0x000000000040061c <+40>: mov %rax,%rdi //把0x400760作为
0x000000000040061f <+43>: mov $0x0,%eax //把eax清零 , scanf的字符串参数
0x0000000000400624 <+48>: callq 0x4004f0 <__isoc99_scanf@plt>
0x0000000000400629 <+53>: mov -0x8(%rbp),%eax
0x000000000040062c <+56>: xor -0x4(%rbp),%eax //v1异或v2放到eax中
0x000000000040062f <+59>: cmp $0xdeadbeef,%eax //
0x0000000000400634 <+64>: jne 0x400656 <main+98> //不相等跳走
0x0000000000400636 <+66>: mov $0x400763,%edi //puts输出字符串的地址
0x000000000040063b <+71>: callq 0x4004c0 <puts@plt>
0x0000000000400640 <+76>: mov $0x400769,%edi //传入0x400769参数
0x0000000000400645 <+81>: mov $0x0,%eax //将eax清零
0x000000000040064a <+86>: callq 0x4004d0 <system@plt>
0x000000000040064f <+91>: mov $0x0,%eax //return 0
0x0000000000400654 <+96>: jmp 0x400665 <main+113>
0x0000000000400656 <+98>: mov $0x400778,%edi // printf输出字符串地址
0x000000000040065b <+103>: callq 0x4004c0 <puts@plt>
---Type <return> to continue, or q <return> to quit---r
0x0000000000400660 <+108>: mov $0x0,%eax
0x0000000000400665 <+113>: leaveq
0x0000000000400666 <+114>: retq
End of assembler dump.
(gdb) x/16s 0x400760
0x400760: "%d"
0x400763: "Good!"
0x400769: "/bin/cat flag"
0x400777: ""
0x400778: "Wrong, maybe you should try 2^32 cases."
0x4007a0: "\001\033\003;,"
0x4007a6: ""
0x4007a7: ""
0x4007a8: "\004"
0x4007aa: ""
0x4007ab: ""
0x4007ac: "\020\375\377\377H"
0x4007b2: ""
0x4007b3: ""
0x4007b4: "T\376\377\377p"
0x4007ba: ""
(gdb) i r
rax 0x6b8b4567 1804289383
rbx 0x0 0
rcx 0x7ff3248b30a4 140682266882212
rdx 0x7ff3248b30a8 140682266882216
rsi 0x7ffe4171787c 140729996376188
rdi 0x7ff3248b3620 140682266883616
rbp 0x7ffe417178b0 0x7ffe417178b0
rsp 0x7ffe417178a0 0x7ffe417178a0
r8 0x7ff3248b30a4 140682266882212
r9 0x7ff3248b3120 140682266882336
r10 0x47f 1151
r11 0x7ff324529f60 140682263175008
r12 0x400510 4195600
r13 0x7ffe41717990 140729996376464
r14 0x0 0
r15 0x0 0
rip 0x400606 0x400606 <main+18>
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
v1=0x6b8b4567
v1^v2=0xdeadbeef
v2=0xdeadbeef^v1=0xB526FB88=30392308
random@ubuntu:~$ ./random
3039230856
Good!
Mommy, I thought libc random is unpredictable...
56