-
-
[分享]pwnable.kr BlackJack day10
-
2021-1-12 23:01 8174
-
题目
解题过程
1. 游戏试玩
这是一个类似 21 点的游戏。
初始现金是 500,我们输入赌注(bet),如果赌注比拥有的现金(cash)大的数会给错误提示。
现金超过一百万可以看到 flag。
2. 查看源码
源码过大,已上传至附件。
核心函数有 betting() 和 play()
betting() 是我们下注的函数
可以看到输入 bet 后,没有对 bet 值是否合法做检测,全都返回 bet。
play() 是游戏的核心函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | void play() / / Plays game { int p = 0 ; / / holds value of player_total int i = 1 ; / / counter for asking user to hold or stay (aka game turns) char choice3; cash = cash; cash_test(); printf( "\nCash: $%d\n" ,cash); / / Prints amount of cash user has randcard(); / / Generates random card player_total = p + l; / / Computes player total p = player_total; printf( "\nYour Total is %d\n" , p); / / Prints player total dealer(); / / Computes and prints dealer total betting(); / / Prompts user to enter bet amount while (i< = 21 ) / / While loop used to keep asking user to hit or stay at most twenty - one times / / because there is a chance user can generate twenty - one consecutive 1 's { if (p = = 21 ) / / If user total is 21 , win { printf( "\nUnbelievable! You Win!\n" ); won = won + 1 ; cash = cash + bet; printf( "\nYou have %d Wins and %d Losses. Awesome!\n" , won, loss); dealer_total = 0 ; askover(); } if (p> 21 ) / / If player total is over 21 , loss { printf( "\nWoah Buddy, You Went WAY over.\n" ); loss = loss + 1 ; cash = cash - bet; printf( "\nYou have %d Wins and %d Losses. Awesome!\n" , won, loss); dealer_total = 0 ; askover(); } if (p< = 21 ) / / If player total is less than 21 , ask to hit or stay { printf( "\n\nWould You Like to Hit or Stay?" ); scanf( "%c" , &choice3); while ((choice3! = 'H' ) && (choice3! = 'h' ) && (choice3! = 'S' ) && (choice3! = 's' )) / / If invalid choice entered { printf( "\n" ); printf( "Please Enter H to Hit or S to Stay.\n" ); scanf( "%c" ,&choice3); } if ((choice3 = = 'H' ) || (choice3 = = 'h' )) / / If Hit, continues { randcard(); player_total = p + l; p = player_total; printf( "\nYour Total is %d\n" , p); dealer(); if (dealer_total = = 21 ) / / Is dealer total is 21 , loss { printf( "\nDealer Has the Better Hand. You Lose.\n" ); loss = loss + 1 ; cash = cash - bet; printf( "\nYou have %d Wins and %d Losses. Awesome!\n" , won, loss); dealer_total = 0 ; askover(); } if (dealer_total> 21 ) / / If dealer total is over 21 , win { printf( "\nDealer Has Went Over!. You Win!\n" ); won = won + 1 ; cash = cash + bet; printf( "\nYou have %d Wins and %d Losses. Awesome!\n" , won, loss); dealer_total = 0 ; askover(); } } if ((choice3 = = 'S' ) || (choice3 = = 's' )) / / If Stay, does not continue { printf( "\nYou Have Chosen to Stay at %d. Wise Decision!\n" , player_total); stay(); } } i + + ; / / While player total and dealer total are less than 21 , re - do while loop } / / End While Loop } / / End Function |
重点如下
可以看出当我们赢的时候,我们的现金变为现金 + 赌注,输的时候变为现金 - 赌注。
由 betting() 知,赌注的输入没有做足够的限制,所以我们可以输入一个较大负数,然后故意输掉,这样我们的金额会直接超过一百万,达到看见 flag 的要求,继续玩一局即可看到 flag。
3. pwn
红框内为 flag
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
他的文章
[分享] pwnable.kr asm
9717
谁下载
无
看原图