pwnable.kr [Toddler's Bottle] - lotto

Mommy! I made a lotto program for my homework.
do you want to play?

ssh lotto@pwnable.kr -p2222 (pw:guest)

同样是一个小游戏，考查...细心程度。

源码如下：

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

unsigned char submit[6];

void play(){
    
    int i;
    printf("Submit your 6 lotto bytes : ");
    fflush(stdout);

    int r;
    r = read(0, submit, 6);

    printf("Lotto Start!\n");
    //sleep(1);

    // generate lotto numbers
    int fd = open("/dev/urandom", O_RDONLY);
    if(fd==-1){
        printf("error. tell admin\n");
        exit(-1);
    }
    unsigned char lotto[6];
    if(read(fd, lotto, 6) != 6){
        printf("error2. tell admin\n");
        exit(-1);
    }
    for(i=0; i<6; i++){
        lotto[i] = (lotto[i] % 45) + 1;     // 1 ~ 45
    }
    close(fd);
    
    // calculate lotto score
    int match = 0, j = 0;
    for(i=0; i<6; i++){
        for(j=0; j<6; j++){
            if(lotto[i] == submit[j]){
                match++;
            }
        }
    }

    // win!
    if(match == 6){
        system("/bin/cat flag");
    }
    else{
        printf("bad luck...\n");
    }

}

void help(){
    printf("- nLotto Rule -\n");
    printf("nlotto is consisted with 6 random natural numbers less than 46\n");
    printf("your goal is to match lotto numbers as many as you can\n");
    printf("if you win lottery for *1st place*, you will get reward\n");
    printf("for more details, follow the link below\n");
    printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
    printf("mathematical chance to win this game is known to be 1/8145060.\n");
}

int main(int argc, char* argv[]){

    // menu
    unsigned int menu;

    while(1){

        printf("- Select Menu -\n");
        printf("1. Play Lotto\n");
        printf("2. Help\n");
        printf("3. Exit\n");

        scanf("%d", &menu);

        switch(menu){
            case 1:
                play();
                break;
            case 2:
                help();
                break;
            case 3:
                printf("bye\n");
                return 0;
            default:
                printf("invalid menu\n");
                break;
        }
    }
    return 0;
}

规则是输入一个 6 字节的字符串，与程序随机生成的 6 字节字符串比较（ /dev/urandom 文件是 Linux 系统生成的char型随机数据，从这里读数据相当于产生不为空的随机字符流），相同则成功。并且由 lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45 可知 lotto 中字符的 ASCII 码为 1 到 45 。
ASCII 码表中只有 DEC 33 开始才是可见字符，所以需要输入的字符为 ASCII DEC 33 到 45 。

明确了规则还不够，因为从正常流程下猜中的几率几乎为 0 。

继续看代码，发现一个问题：

    // calculate lotto score
    int match = 0, j = 0;
    for(i=0; i<6; i++){
        for(j=0; j<6; j++){
            if(lotto[i] == submit[j]){
                match++;
            }
        }
    }

这里的循环逻辑是，对于每 lotto[i] ，会和输入字串的每一个字符去比较，相等就使 match +1，而成功需要match = 6 。所以只要输入的字串为相同的6个字符，6个字符里有一个中了，那就中了 :P

又由于是随机产生的 lotto 串，这里只要重复尝试一个字串就行了：

……
Submit your 6 lotto bytes : ''''''
Lotto Start!
bad luck...
- Select Menu -
1. Play Lotto
2. Help
3. Exit
1
Submit your 6 lotto bytes : ''''''
Lotto Start!
sorry mom... I FORGOT to check duplicate numbers... :(

至于需要尝试几次就完全看运气了。