The same connection ssh, enter the password to view the file
Col.c look at the source code
#include <stdio.h> #include <string.h> unsigned long hashcode = 0x21DD09EC; unsigned long check_password(const char* p){ int* ip = (int*)p; int i; int res=0; for(i=0; i<5; i++){ res += ip[i]; } return res; } int main(int argc, char* argv[]){ if(argc<2){ printf("usage : %s [passcode]\n", argv[0]); return 0; } if(strlen(argv[1]) != 20){ printf("passcode length should be 20 bytes\n"); return 0; } if(hashcode == check_password( argv[1] )){ system("/bin/cat flag"); return 0; } else printf("wrong passcode.\n"); return 0; }
For check_password hashcode function's return value is equal to res There In Flag, i.e. hashcode == 0x21DD09EC == res, check_password look function, turn into strong int, and five times the accumulated output res, while a second main function of the following if a constraint length of 20, an int is 4 bytes, divided into five groups exactly 20 bytes
We 0x21DD09EC to decimal 568 134 124, for convenience of calculation is again divided by adding 5 gave 113,626,825, before deduction of plus one is 1136268254, i.e. (113,626,825 113,626,8254 + = 568 134 124 * 4)
Then they turn into hexadecimal 0x6c5cec9 * 4 + 0x6c5cec8 = 0x21dd09ec
To know the value of the input can be input here for little endian input python
./col $(python -c 'print "\xc9\xce\xc5\x06"*4+"\xc8\xce\xc5\x06"')
daddy! I just managed to create a hash collision :)