Daddy told me about cool MD5 hash collision today. I wanna do something like that too! ssh col@pwnable.kr -p2222 (pw:guest)
先看源代码:
1 #include <stdio.h> 2 #include <string.h> 3 unsigned long hashcode = 0x21DD09EC; 4 unsigned long check_password(const char* p){ 5 int* ip = (int*)p; 6 int i; 7 int res=0; 8 for(i=0; i<5; i++){ 9 res += ip[i]; 10 } 11 return res; 12 } 13 14 int main(int argc, char* argv[]){ 15 if(argc<2){ 16 printf("usage : %s [passcode] ", argv[0]); 17 return 0; 18 } 19 if(strlen(argv[1]) != 20){ 20 printf("passcode length should be 20 bytes "); 21 return 0; 22 } 23 24 if(hashcode == check_password( argv[1] )){ 25 system("/bin/cat flag"); 26 return 0; 27 } 28 else 29 printf("wrong passcode. "); 30 return 0; 31 }
函数大体意思是,输入20个字节的数,在check_password里把char转换为int类型,,char为1字节,Int为4字节,这样5次循环正好是20个字节,且这20个字节之和为0x21DD09EC,
将0x21dd09ec分解为5个16进制数组
于是我们输入正确的密码,得到flag!