pwnable kr 之 random

(gdb) disass main
Dump of assembler code for function main:
   0x00000000004005f4 <+0>:	push   %rbp
   0x00000000004005f5 <+1>:	mov    %rsp,%rbp
   0x00000000004005f8 <+4>:	sub    $0x10,%rsp
   0x00000000004005fc <+8>:	mov    $0x0,%eax //随机数种子为0
   0x0000000000400601 <+13>:	callq  0x400500 <rand@plt>
   0x0000000000400606 <+18>:	mov    %eax,-0x4(%rbp) //生成一个随机数并放在局部变量v1处（int type） （0x6b8b4567 ；1804289383 ；查看一下eax，因为是伪随机数，所以每次随即出来的值都一样 ）
   0x0000000000400609 <+21>:	movl   $0x0,-0x8(%rbp) //初始化局部变量v2
   0x0000000000400610 <+28>:	mov    $0x400760,%eax   
   0x0000000000400615 <+33>:	lea    -0x8(%rbp),%rdx //把局部变量v2的地址提出
   0x0000000000400619 <+37>:	mov    %rdx,%rsi //并作为源地址， &v2
   0x000000000040061c <+40>:	mov    %rax,%rdi  //把0x400760作为 
   0x000000000040061f <+43>:	mov    $0x0,%eax //把eax清零 ， scanf的字符串参数
   0x0000000000400624 <+48>:	callq  0x4004f0 <__isoc99_scanf@plt>
   0x0000000000400629 <+53>:	mov    -0x8(%rbp),%eax
   0x000000000040062c <+56>:	xor    -0x4(%rbp),%eax //v1异或v2放到eax中
   0x000000000040062f <+59>:	cmp    $0xdeadbeef,%eax  //
   0x0000000000400634 <+64>:	jne    0x400656 <main+98> //不相等跳走
   0x0000000000400636 <+66>:	mov    $0x400763,%edi //puts输出字符串的地址
   0x000000000040063b <+71>:	callq  0x4004c0 <puts@plt>
   0x0000000000400640 <+76>:	mov    $0x400769,%edi //传入0x400769参数
   0x0000000000400645 <+81>:	mov    $0x0,%eax //将eax清零
   0x000000000040064a <+86>:	callq  0x4004d0 <system@plt>
   0x000000000040064f <+91>:	mov    $0x0,%eax //return 0
   0x0000000000400654 <+96>:	jmp    0x400665 <main+113> 
   0x0000000000400656 <+98>:	mov    $0x400778,%edi // printf输出字符串地址
   0x000000000040065b <+103>:	callq  0x4004c0 <puts@plt>
---Type <return> to continue, or q <return> to quit---r
   0x0000000000400660 <+108>:	mov    $0x0,%eax
   0x0000000000400665 <+113>:	leaveq 
   0x0000000000400666 <+114>:	retq   
End of assembler dump.

(gdb) x/16s 0x400760
0x400760:	"%d"
0x400763:	"Good!"
0x400769:	"/bin/cat flag"
0x400777:	""
0x400778:	"Wrong, maybe you should try 2^32 cases."
0x4007a0:	"\001\033\003;,"
0x4007a6:	""
0x4007a7:	""
0x4007a8:	"\004"
0x4007aa:	""
0x4007ab:	""
0x4007ac:	"\020\375\377\377H"
0x4007b2:	""
0x4007b3:	""
0x4007b4:	"T\376\377\377p"
0x4007ba:	""
(gdb) i r
rax            0x6b8b4567	1804289383
rbx            0x0	0
rcx            0x7ff3248b30a4	140682266882212
rdx            0x7ff3248b30a8	140682266882216
rsi            0x7ffe4171787c	140729996376188
rdi            0x7ff3248b3620	140682266883616
rbp            0x7ffe417178b0	0x7ffe417178b0
rsp            0x7ffe417178a0	0x7ffe417178a0
r8             0x7ff3248b30a4	140682266882212
r9             0x7ff3248b3120	140682266882336
r10            0x47f	1151
r11            0x7ff324529f60	140682263175008
r12            0x400510	4195600
r13            0x7ffe41717990	140729996376464
r14            0x0	0
r15            0x0	0
rip            0x400606	0x400606 <main+18>
eflags         0x202	[ IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

v1=0x6b8b4567

v1^v2=0xdeadbeef

v2=0xdeadbeef^v1=0xB526FB88=30392308

random@ubuntu:~$ ./random 
3039230856
Good!
Mommy, I thought libc random is unpredictable...

56