首先查看题目
int main(){
unsigned int random;
random = rand(); // random value!
unsigned int key=0;
scanf("%d", &key);
if( (key ^ random) == 0xdeadbeef ){
printf("Good!\n");
system("/bin/cat flag");
return 0;
}
printf("Wrong, maybe you should try 2^32 cases.\n");
return 0;
}
发现这段代码表面上是随机数,但是缺少了语句
srand((unsigned int)time(NULL));
所以每次产生的随机数都是一样的顺序,所以只需要在自己本地建立一个随机数生成c文件
#include<stdio.h>
#include<stdlib.h>
int main()
{
unsigned random;
random=rand();
printf("%u\n",random);
return 0;
}
随后在文件夹中打开终端,编译
gcc -g ran.c -o ran
之后运行得到ran的结果随机数
root@kali:~/pwnable.kr/random# ./random
1804289383
执行目的函数的要求
root@kali:~/pwnable.kr/random# python
Python 2.7.13 (default, Jan 19 2017, 14:48:08)
[GCC 6.3.0 20170118] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 1804289383^0xdeadbeef
3039230856
之后输入所得到的值即可得到flag
random@ubuntu:~$ ./random
3039230856
Good!
Mommy, I thought libc random is unpredictable...