Daddy, teach me how to use random value in programming!<\/p>\n\n\n\n
ssh random@pwnable.kr -p2222 (pw:guest)<\/p>\n\n\n\n
#include <stdio.h>\n\nint main(){\n\tunsigned int random;\n\trandom = rand();\t\/\/ random value!\n\n\tunsigned int key=0;\n\tscanf(\"%d\", &key);\n\n\tif( (key ^ random) == 0xdeadbeef ){\n\t\tprintf(\"Good!\\n\");\n\t\tsystem(\"\/bin\/cat flag\");\n\t\treturn 0;\n\t}\n\n\tprintf(\"Wrong, maybe you should try 2^32 cases.\\n\");\n\treturn 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n\ubb38\uc81c\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub294 \uc704\uc640 \uac19\ub2e4.
rand() \ud568\uc218\ub85c \ubc1b\uc740 random \uac12\uacfc \uc0ac\uc6a9\uc790\ub85c\ubd80\ud130 \ubc1b\uc740 key \uac12\uc744 XOR \uc5f0\uc0b0\ud588\uc744\ub54c 0xdeadbeef\uba74, \ud50c\ub798\uadf8\ub97c \ucd9c\ub825\ud55c\ub2e4.<\/p>\n\n\n\n
\n\n\n\n\ud480\uc774<\/h2>\n\n\n\n
rand() \ud568\uc218\ub294 \ub79c\ub364\ud55c \uc22b\uc790\ub97c \ubc18\ud658\ud558\ub294\ub370, \uc2e4\uc81c\ub85c\ub294 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9e4\ubc88 \ucc98\uc74c \uc2e4\ud589\uc2dc\ud0ac\ub54c\ub9c8\ub2e4 \uac19\uc740 \uac12\uc774 \ub098\uc628\ub2e4.<\/p>\n\n\n\n
\ub530\ub77c\uc11c \ub514\ubc84\uac70\uc5d0\uc11c rand \ud568\uc218\uc758 \ubc18\ud658\uac12\uc744 \ucc98\ub9ac\ud558\ub294 \uba54\ubaa8\ub9ac\uc8fc\uc18c\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uc124\uc815\ud558\uace0 \uac12\uc744 \uc54c\uc544\ub0b4\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
\n\ngdb-peda$ disas main\nDump of assembler code for function main:\n...\n 0x0000000000400601 <+13>:\tcall 0x400500 <rand@plt>\n 0x0000000000400606 <+18>:\tmov DWORD PTR [rbp-0x4],eax\n...\ngdb-peda$ b *main+18\nBreakpoint 1 at 0x400606\ngdb-peda$ r\n...\nBreakpoint 1, 0x0000000000400606 in main ()\ngdb-peda$ i r $eax\neax 0x6b8b4567 0x6b8b4567<\/pre>\n<\/div>\n<\/div>\n\n\n\nrand()\uc758 \ubc18\ud658\uac12\uc740 0x6b8b4567\uc600\ub2e4.<\/p>\n\n\n\n
XOR \uc5f0\uc0b0\uc740 (A ^ B) ^ B = A\uc774\uae30\uc5d0
key ^ random = 0xdeadbeef
key ^ 0x6b8b4567 = 0xdeadbeef
key = 0xdeadbeef ^ 0x6b8b4567 = 0xb526fb88<\/p>\n\n\n\n
scanf(“%d”, &key);\uc5d0\uc11c 10\uc9c4\uc218\ub85c \uac12\uc744 \uc785\ub825\ubc1b\uae30 \ub54c\ubb38\uc5d0
0xb526fb88 = 3039230856<\/p>\n\n\n\n
\n\nfrom pwn import *\n\ns = ssh('random', 'pwnable.kr', 2222, 'guest')\np = s.process('.\/random')\n\np.sendline(b\"3039230856\")\n\ndata = p.recvall()\nprint(data)\np.close()\ns.close()<\/pre>\n<\/div>\n<\/div>\n\n\n\n\n\nubuntu@docker:~\/CTF\/pwnable.kr\/random$ python3 random_solve.py \n[+] Connecting to pwnable.kr on port 2222: Done\n[*] col@pwnable.kr:\n Distro Ubuntu 16.04\n OS: linux\n Arch: amd64\n Version: 4.4.179\n ASLR: Enabled\n[+] Starting remote process bytearray(b'.\/random') on pwnable.kr: pid 406828\n[+] Receiving all data: Done (55B)\n[*] Stopped remote process 'random' on pwnable.kr (pid 406828)\nb'Good!\\nMommy, I thought libc random is unpredictable...\\n'\n[*] Closed connection to 'pwnable.kr'<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"Daddy, teach me how to use random value in programming! ssh random@pwnable.kr -p2222 (pw:guest) \ubb38\uc81c\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub294 \uc704\uc640 \uac19\ub2e4.rand() \ud568\uc218\ub85c \ubc1b\uc740 random \uac12\uacfc \uc0ac\uc6a9\uc790\ub85c\ubd80\ud130 \ubc1b\uc740 key \uac12\uc744 XOR \uc5f0\uc0b0\ud588\uc744\ub54c 0xdeadbeef\uba74, \ud50c\ub798\uadf8\ub97c \ucd9c\ub825\ud55c\ub2e4. \ud480\uc774 rand() \ud568\uc218\ub294 \ub79c\ub364\ud55c \uc22b\uc790\ub97c \ubc18\ud658\ud558\ub294\ub370, \uc2e4\uc81c\ub85c\ub294 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9e4\ubc88 \ucc98\uc74c \uc2e4\ud589\uc2dc\ud0ac\ub54c\ub9c8\ub2e4 \uac19\uc740 \uac12\uc774 \ub098\uc628\ub2e4. \ub530\ub77c\uc11c \ub514\ubc84\uac70\uc5d0\uc11c rand \ud568\uc218\uc758 \ubc18\ud658\uac12\uc744 \ucc98\ub9ac\ud558\ub294 \uba54\ubaa8\ub9ac\uc8fc\uc18c\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uc124\uc815\ud558\uace0 \uac12\uc744… \ub354 \ubcf4\uae30 »random<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-546","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=546"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":548,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions\/548"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}