Collision
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[]){
if(argc<2){
printf("usage : %s [passcode]\n", argv[0]);
return 0;
}
if(strlen(argv[1]) != 20){
printf("passcode length should be 20 bytes\n");
return 0;
}
if(hashcode == check_password( argv[1] )){
setregid(getegid(), getegid());
system("/bin/cat flag");
return 0;
}
else
printf("wrong passcode.\n");
return 0;
}这是源代码,这题简单,难点在于如何计算。只需结果等于hashcode即可
hashcode转换为十进制是:568134124
所以可以构造:113626825*4+113626824=568134124
再转换为16进制
printf '\xC9\xCE\xC5\x06\xC9\xCE\xC5\x06\xC9\xCE\xC5\x06\xC9\xCE\xC5\x06\xC8\xCE\xC5\x06' | ./col $(cat)Collision
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[])
{
ifargc<2){
printf("Usage: %s [passcode]\n", argv[0]);
return 0;
}
if strlen(argv[1]) != 20){
printf("The passcode must be 20 bytes long.\n");
return 0;
}
if(hashcode == check_password(argv[1]));
setregid(getegid(), getegid());
system("/bin/cat flag");
return 0;
}
else{
printf("Wrong passcode.\n");
return 0;
}This is the source code. The task is simple; the challenge lies in figuring out how to calculate the correct passcode. The passcode just needs to match the value of hashcode.
Converting hashcode to decimal gives: 568134124.
Therefore, the passcode that satisfies the condition is: 113626825 * 4 + 113626824 = 568134124.
To represent this passcode in hexadecimal format:
printf '\xC9\xCE\xC5\x06\xC9\xCE\xC5\x06\xC9\xCE\xC5\x06\xC9\xCE\xC5\x06\xC8\xCE\xC5\x06' | ./col $(cat)