函数
atio:https://baike.baidu.com/item/atoi/10931331?fr=aladdin
strcmp:https://baike.baidu.com/item/strcmp/5495571?fr=aladdin
strlen:https://baike.baidu.com/item/strlen/2737?fr=aladdin
argc argv:https://baike.baidu.com/item/argc%20argv/10826112?fr=aladdin
https://blog.csdn.net/dgreh/article/details/80985928
源代码:
#include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { if (argc != 4) { printf("what?\n"); exit(1); } unsigned int first = atoi(argv[1]); if (first != 0xcafe) { printf("you are wrong, sorry.\n"); exit(2); } unsigned int second = atoi(argv[2]); if (second % 5 == 3 || second % 17 != 8) { printf("ha, you won't get it!\n"); exit(3); } if (strcmp("h4cky0u", argv[3])) { printf("so close, dude!\n"); exit(4); } printf("Brr wrrr grr\n"); unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; printf("Get your key: "); printf("%x\n", hash); return 0; }
分析:
跳过所有if语句,便可以得到flag。
if (argc != 4) { printf("what?\n"); exit(1); }
输出参数为4(实际是3)。argv[0]指向程序运行的全路径名。
unsigned int first = atoi(argv[1]); if (first != 0xcafe) { printf("you are wrong, sorry.\n"); exit(2); }
first=0xcafe便可以跳过该语句。
first=0xcafe
unsigned int second = atoi(argv[2]); if (second % 5 == 3 || second % 17 != 8) { printf("ha, you won't get it!\n"); exit(3); }
跳过该语句的特殊值可以是25
可得second的一个值为25
second=25
if (strcmp("h4cky0u", argv[3])) { printf("so close, dude!\n"); exit(4); }
跳过该语句的条件是strcmp()=0
argv[3]="h4cky0u"
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; printf("Get your key: "); printf("%x\n", hash);
first=0xcafe
second % 17 = 8
argv[3] = 7
printf("%x\n", hash)
输出hash的16进制数