1.给的程序是个源码,注释的是分析
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
if (argc = 4) {
printf("what?\n");
exit(1);
}
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) { //当first不等于0xcafe,则退出程序
printf("you are wrong, sorry.\n");
exit(2);
}
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
printf("ha, you won't get it!\n");
exit(3);
}
if (strcmp("h4cky0u", argv[3])) { //将argv[3]的值赋值给h4cky0u
printf("so close, dude!\n");
exit(4);
}
printf("Brr wrrr grr\n");
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;//重点 :hash strlen(argv[3]) = 7
printf("Get your key: ");//需要输出key
printf("%x\n", hash); //重点:hash
return 0;
}
重点:从后面看需要输出的是hash
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
2.这时未知的参数,通过源码判断
first = 0xcafe //需要相等才能正常执行代码
4.strlen(argv):长度
#include<stdio.h>
#include<stblib.h>
int main()
{
char argv = h4cky0u;
printf("%d",strlen(argv)); //即可算出长度为7
return 0;
}
4.second :运行输出的数,就是符合条件,而在编写最终的脚本时,只要不出现的代码输出的数即可。
for i in range(1000):
if (i % 5 == 3 | i % 17 != 8):
print(i)
5.最终脚本
first = 0xcafe
hash = first * 31337 + (25 % 17) * 11 + 7 - 1615810207;#25只是其中一个数,使用其他也是可以的
print(hex(hash))
结果:0xc0ffee
所以,flag:c0ffee