coin1 - pwnable

coin1 - pwnable

题目

脚本分析

题目利用二分法找出假硬币。游戏需要进行100轮，每轮得一分。游戏与服务器交互?。

需要注意一点，每一轮找出并输入假硬币之后，需要再一次输入假硬币的序号，开启下一轮的游戏或获得flag。

~$ nc pwnable.kr 9007

	---------------------------------------------------
	-              Shall we play a game?              -
	---------------------------------------------------
	
	You have given some gold coins in your hand
	however, there is one counterfeit coin among them
	counterfeit coin looks exactly same as real coin
	however, its weight is different from real one
	real coin weighs 10, counterfeit coin weighes 9
	help me to find the counterfeit coin with a scale
	if you find 100 counterfeit coins, you will get reward :)
	FYI, you have 60 seconds.
	
	- How to play - 
	1. you get a number of coins (N) and number of chances (C)
	2. then you specify a set of index numbers of coins to be weighed
	3. you get the weight information
	4. 2~3 repeats C time, then you give the answer
	
	- Example -
	[Server] N=4 C=2 	# find counterfeit among 4 coins with 2 trial
	[Client] 0 1 		# weigh first and second coin
	[Server] 20			# scale result : 20
	[Client] 3			# weigh fourth coin
	[Server] 10			# scale result : 10
	[Client] 2 			# counterfeit coin is third!
	[Server] Correct!

	- Ready? starting in 3 sec... -
	
N=7 C=3

利用脚本就直接看?，有注释：

#coding:utf-8
from pwn import *
import re


def get_weight(start,end,prog):
	payload = ""
	if start == end:
		payload += str(end)
	else:
		for num in range(start,end+1):
			payload += "{} ".format(str(num))
	prog.sendline(payload)
	print "[-]clent:",payload
	weight = prog.recvline()
	print "[+]server:",weight
	try:
		return int(weight)
	except:
		return weight

def choose_coin(nums,chances,prog):
	start = 0
	end = nums -1
	for chance in range(chances):
		print "{:=^25}".format(str("round{}/{}".format(chance,chances-1)))
		weight = get_weight(start,int((end-start)/2+start),prog)
		if (weight%10) != 0:
			end = int((end-start)/2+start)
		else:
			start = int((end-start)/2+start)+1
	prog.sendline(str(end))
	result = prog.recvline()
	print "[+]server:",result


prog = remote("pwnable.kr",9007)
print(prog.recv()) # 题目提示说明部分
print '='*25

# 循环得分100次
for _ in range(100):
	print '='*10,"START",'='*25
	info = prog.recvline() # coin chances信息
	print "[+]server:",info
	# 通过正则表达式匹配出coin 和 chances
	coins = int(re.findall(r'\d+',info)[0])
	chances = int(re.findall(r'\d+',info)[1])
	# 开始筛选fade coin
	choose_coin(coins,chances,prog)

print prog.recv() # recv flag