1.打开源码
打开源码
1 #include <stdio.h> 2 #include <string.h> 3 4 int main(int argc, char *argv[]) { 5 if (argc != 4) { 6 printf("what? "); 7 exit(1); 8 } 9 10 unsigned int first = atoi(argv[1]); 11 if (first != 0xcafe) { 12 printf("you are wrong, sorry. "); 13 exit(2); 14 } 15 16 unsigned int second = atoi(argv[2]); 17 if (second % 5 == 3 || second % 17 != 8) { 18 printf("ha, you won't get it! "); 19 exit(3); 20 } 21 22 if (strcmp("h4cky0u", argv[3])) { 23 printf("so close, dude! "); 24 exit(4); 25 } 26 27 printf("Brr wrrr grr "); 28 29 unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; 30 31 printf("Get your key: "); 32 printf("%x ", hash); 33 34 return 0; 35 }
2. 分析
很明显,第29行计算flag,第32行代码输出十六进制形式。第29行代码就是利用argv[1]~argv[3]的数据进行计算。
2.1 argv[1]
if (first != 0xcafe) { printf("you are wrong, sorry. "); exit(2); }
不等于0xcafe就退出,那first=0xcafe
2.2 argv[2]
if (second % 5 == 3 || second % 17 != 8) { printf("ha, you won't get it! "); exit(3); }
满足if条件就退出,我想到第一个不满足的数就是25,second = 25
2.3 argv[3]
if (strcmp("h4cky0u", argv[3])) { printf("so close, dude! "); exit(4); }
相等strcmp返回0,退出if条件,那argv[3]=“h4cky0u”
3.get flag!
综上,写出解flag代码
#include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { int first = 0xcafe; int second = 25; argv[3] = "h4cky0u"; printf("Brr wrrr grr "); unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; printf("Get your key: "); printf("%x ", hash); system("PAUSE"); return 0; }
