知识点:seed() 和rand函数,然后在不同的操作系统上,相同的seed()得到的是不同的rand值
查壳ubuntu的系统
38位flag
首先我们找到他的随机种子
动调知道第一个是0xD9
在uubutu上创建 一个c文件
touch 123.cpp
然后 编写代码
#include "bits/stdc++.h"
using namespace std;
int main(){
for(long long i=0;i<=0xF0000000;i+=0x10000000){
srand(i);
if((rand()&0xff)==0xd9){
cout<<hex<<i<<endl;
}
}
return 0;
}
g++ 123.cpp
./a.out
找到种子为0x60000000
我们接下来提取他的rand
我们可以发现,他一共用了三段
第一段 38位
第二段 37个
第三段 38个
然后就是开逆!
总体流程
异或—— ptr换表——异或——异或
多多利用动调!!!!
key1=[217,15,24,189,199,22,129,190,248,74,101,242,93,171,43,51,212,165,103,152,159,126,43,93,194,175,142,58,76,165,117,37,180,141,227,123,163,100,]
key2=[318468153,800293276,2019609262,1595854750,1243016334,2035920907,509882954,1395076537,2128114239,956569374,87728478,1501331366,1080700342,58660349,1564659237,170421217,1019943002,1208904679,2089480593,1151441384,761988129,2005241821,1142722701,143914390,305033730,1483851073,230338083,407939813,1125728700,611300551,758577225,1444196853,1411593827,630702839,892567956,507126513,519140099,]
key3=[222,170,66,252,9,232,178,6,13,147,97,244,36,73,21,1,215,171,4,24,207,233,213,150,51,202,249,42,94,234,45,60,148,111,56,157,88,234,]
key4=[191, 215, 46, 218, 238, 168, 26, 16, 131, 115,
172, 241, 6, 190, 173, 136, 4, 215, 18, 254,
181, 226, 97, 183, 61, 7, 74, 232, 150, 162,
157, 77, 188, 129, 140, 233, 136, 120, ]
h='congratulationstoyoucongratulationstoy'
flag=[ord(i) for i in h]
for i in range(len(key4)):
flag[i]^=key4[i]
for i in range(len(key3)):
flag[i]^=key3[i]&0xff
ptr=[i for i in range(len(flag))]
count =0
for i in range(len(flag)-1,0,-1):
v18=key2[count]%(i+1)
count+=1
ptr[v18],ptr[i]=ptr[i],ptr[v18]
ans=[0 for i in range(38)]
count=0
for i in ptr:
ans[i]=flag[count]
count+=1
for i in range(len(key1)):
print(chr((ans[i]^(key1[i]&0xff))),end='')
#flag{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}