Post

Pwnable.kr - random

Wargame, Pwnable.kr
Posted

random

1
2
3

Daddy, teach me how to use random value in programming!

ssh random@pwnable.kr -p2222 (pw:guest)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

#include <stdio.h>

int main(){
        unsigned int random;
        random = rand();        // random value!

        unsigned int key=0;
        scanf("%d", &key);

        if( (key ^ random) == 0xdeadbeef ){
                printf("Good!\n");
                system("/bin/cat flag");
                return 0;
        }

        printf("Wrong, maybe you should try 2^32 cases.\n");
        return 0;
}

Solution

1
2
3
4

보통 난수를 생성하려면 <stdlib.h>, <time.h>에 있는 srand(), time() 함수가 필요함.
즉, srand(time(NULL)) 코드가 필요한데 위 코드에는 없음.

따라서 랜덤의 값이 동일하다는 것. 이 값만 알아내면 해결.

(gdb) disas main
Dump of assembler code for function main: 
   0x00000000004005f4 <+0>:     push   rbp
   0x00000000004005f5 <+1>:     mov    rbp,rsp
   0x00000000004005f8 <+4>:     sub    rsp,0x10
   0x00000000004005fc <+8>:     mov    eax,0x0
   0x0000000000400601 <+13>:    call   0x400500 <rand@plt>
   0x0000000000400606 <+18>:    mov    DWORD PTR [rbp-0x4],eax      
   0x0000000000400609 <+21>:    mov    DWORD PTR [rbp-0x8],0x0      
   0x0000000000400610 <+28>:    mov    eax,0x400760
   0x0000000000400615 <+33>:    lea    rdx,[rbp-0x8]
   0x0000000000400619 <+37>:    mov    rsi,rdx
   0x000000000040061c <+40>:    mov    rdi,rax
   0x000000000040061f <+43>:    mov    eax,0x0
   0x0000000000400624 <+48>:    call   0x4004f0 <__isoc99_scanf@plt>
   0x0000000000400629 <+53>:    mov    eax,DWORD PTR [rbp-0x8]      
   0x000000000040062c <+56>:    xor    eax,DWORD PTR [rbp-0x4]      
   0x000000000040062f <+59>:    cmp    eax,0xdeadbeef
   0x0000000000400634 <+64>:    jne    0x400656 <main+98>
   0x0000000000400636 <+66>:    mov    edi,0x400763
   0x000000000040063b <+71>:    call   0x4004c0 <puts@plt>
   0x0000000000400640 <+76>:    mov    edi,0x400769
   0x0000000000400645 <+81>:    mov    eax,0x0
   0x000000000040064a <+86>:    call   0x4004d0 <system@plt>
   0x000000000040064f <+91>:    mov    eax,0x0
   0x0000000000400654 <+96>:    jmp    0x400665 <main+113>
   0x0000000000400656 <+98>:    mov    edi,0x400778
   0x000000000040065b <+103>:   call   0x4004c0 <puts@plt>
   0x0000000000400660 <+108>:   mov    eax,0x0
   0x0000000000400665 <+113>:   leave
   0x0000000000400666 <+114>:   ret
End of assembler dump.

0x00000000004005fc <+8>:     mov    eax,0x0
0x0000000000400601 <+13>:    call   0x400500 <rand@plt>
0x0000000000400606 <+18>:    mov    DWORD PTR [rbp-0x4],eax
gdb-peda$ x/wx $rbp-0x4
0x7ffe2551906c: 0x6b8b4567

내가 입력한 값도 16진수로 변환되서 들어가게 됨.
입력값과 랜덤값의 xor 값이 0xdeadbeef여야 함.

>>> a=0x6b8b4567 ^ 0xdeadbeef
>>> print(a)
3039230856

random@pwnable:~$ ./random
3039230856
Good!
Mommy, I thought libc random is unpredictable...
Wargame, Pwnable.kr
This post is licensed under CC BY 4.0 by the author.