pwnable.kr lotto之write up

Posted liuyimin

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了pwnable.kr lotto之write up相关的知识,希望对你有一定的参考价值。

源代码 :

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

unsigned char submit[6];

void play(){
    
    int i;
    printf("Submit your 6 lotto bytes : ");
    fflush(stdout);

    int r;
    r = read(0, submit, 6);

    printf("Lotto Start!\\n");
    //sleep(1);

    // generate lotto numbers
    int fd = open("/dev/urandom", O_RDONLY);
    if(fd==-1){
        printf("error. tell admin\\n");
        exit(-1);
    }
    unsigned char lotto[6];
    if(read(fd, lotto, 6) != 6){
        printf("error2. tell admin\\n");
        exit(-1);
    }
    for(i=0; i<6; i++){
        lotto[i] = (lotto[i] % 45) + 1;        // 1 ~ 45
    }
    close(fd);
    
    // calculate lotto score
    int match = 0, j = 0;
    for(i=0; i<6; i++){
        for(j=0; j<6; j++){
            if(lotto[i] == submit[j]){
                match++;
            }
        }
    }

    // win!
    if(match == 6){
        system("/bin/cat flag");
    }
    else{
        printf("bad luck...\\n");
    }

}

void help(){
    printf("- nLotto Rule -\\n");
    printf("nlotto is consisted with 6 random natural numbers less than 46\\n");
    printf("your goal is to match lotto numbers as many as you can\\n");
    printf("if you win lottery for *1st place*, you will get reward\\n");
    printf("for more details, follow the link below\\n");
    printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\\n\\n");
    printf("mathematical chance to win this game is known to be 1/8145060.\\n");
}

int main(int argc, char* argv[]){

    // menu
    unsigned int menu;

    while(1){

        printf("- Select Menu -\\n");
        printf("1. Play Lotto\\n");
        printf("2. Help\\n");
        printf("3. Exit\\n");

        scanf("%d", &menu);

        switch(menu){
            case 1:
                play();
                break;
            case 2:
                help();
                break;
            case 3:
                printf("bye\\n");
                return 0;
            default:
                printf("invalid menu\\n");
                break;
        }
    }
    return 0;
}

关键程序 :

 1  int match = 0, j = 0;
 2     for(i=0; i<6; i++){
 3         for(j=0; j<6; j++){
 4             if(lotto[i] == submit[j]){
 5                 match++;
 6             }
 7         }
 8     }
 9 
10     // win!
11     if(match == 6){
12         system("/bin/cat flag");
13     }

题中让输入的Lotto在1-45范围之内,并且当lotto等于submit的时候,match加1,当match回到6的时候得到flag。而lotto是本地生成的,那么看一下它是怎么生成的:

1 for(i=0; i<6; i++){
2         lotto[i] = (lotto[i] % 45) + 1;        // 1 ~ 45
3     }
4     close(fd);

思路是在1-45范围内随机生成。

看一下assic表:

真正符号输入是从33开始的,那我们在这个范围内选择字符输入。

如图选择一个字符一直输入,总能找到相等的字符,达到6个得到flag:

sorry mom... I FORGOT to check duplicate numbers... :(

 

以上是关于pwnable.kr lotto之write up的主要内容,如果未能解决你的问题,请参考以下文章

pwnable.kr 之 passcode write up

pwnable.kr bof之write up

pwnable.kr cmd2之write up

pwnable.kr cmd1之write up

pwnable.kr login之write up

pwnable.kr之flag