0x000 open environment
View source
#include int main(){ unsigned int random; random = rand(); // random value! unsigned int key=0; scanf("%d", &key); if( (key ^ random) == 0xdeadbeef ){ printf("Good!\n"); system("/bin/cat flag"); return 0; } printf("Wrong, maybe you should try 2^32 cases.\n"); return 0; }
As can be seen from the source code, do not add random seed, then the rand is generated pseudo-random number, each time you run out of random numbers are the same, such as random seed to initialize "srand ((unsigned) time (NULL))", the random number is generated each time is different.
0x001 exploits
We can find out the value of the random number, and then 0xdeadbeef XOR, you can get the value we enter, as different or reversible, know any two values can be different or out of the third.
Under debugging with gdb, prints out the main function
Easy to see, rbp-8 is the value of our inputs, rbp-4 are generated random value, setting breakpoints at * 0x40062f.
See rbp-4 value is the address of the random data.
Then the value and 0xdeadbeef phase, the result is the data that we want to enter.
