#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[]){
if(argc<2){
printf("usage : %s [passcode]\\n", argv[0]);
return 0;
}
if(strlen(argv[1]) != 20){
printf("passcode length should be 20 bytes\\n");
return 0;
}
if(hashcode == check_password( argv[1] )){
system("/bin/cat flag");
return 0;
}
else
printf("wrong passcode.\\n");
return 0;
}
things learned. When the char* get Casted into int* in int* ip = (int*)p; the (*ip+i) will be valuing 4 bytes at a time instead of 1 becuase now it is a int type which is 4 bytes vs. char type is 1 byte
something werid I noticed.
The last payload in my enviroment don't recognize the 20 bytes input as len(20)
with gef➤ r python -c "print('\x01' * 16 + '\xe8\x05\xd9\x1d')"``
While replace \xe8 and \xd9 worked as normal.
with gef➤ r python -c "print('\\\\x01' * 16 + '\\\\x01\\\\x02\\\\x03\\\\x04')"
It might has something to do with the locale variables that I messed around yesterday when setting up the gef.
Anyway, to furthur understand pointers in C, I have created a small demo and played around.
#include<stdio.h>
int main() {
char *a = "AAAABBBBCCCCDDDDEEEE";
int *b = (int *)a;
printf("the address of a pointer is : %#018x, and the pointer is pointing to %p \\n", &a, a);
printf("the address of b pointer is : %#018x and the pointer is pointing to %p \\n ", &b, b);
printf("%#018x\\n", &a[1]);
printf("%#018x\\n", &a[0]);
printf("%#018x\\n", a);
printf("address for int* pointer b[0] %#018x the value is %#018x\\n", &b[0], (*b+0));
printf("address for int* pointer b[1] %#018x the value is %#018x\\n", &b[1], b[1]);
printf("address for char* pointer a[0] %#018x the value is %#018x\\n",&a[0], a[0]);
printf("address for char* pointer a[4] %#018x the value is %#018x\\n", &a[4], a[4]);
printf("%d", *b);
}