luck_guy
<p>[TOC]</p>
<h1>🌓分析</h1>
<p>获取flag的地方在get_flag()函数里</p>
<p><img src="https://pic.imgdb.cn/item/63761baa16f2c2beb16ff5ab.png" alt="" /> </p>
<p>由于本身它rand不具有确定性,所以我们可以patch程序直接跳转到case 4再跳转到case 5,最后跳转到case 1即可拿到flag</p>
<p><img src="https://pic.imgdb.cn/item/63761e3f16f2c2beb174dc43.png" alt="" /> </p>
<p><img src="https://pic.imgdb.cn/item/63761e7116f2c2beb1752004.png" alt="" /> </p>
<p><img src="https://pic.imgdb.cn/item/63761ebf16f2c2beb1759e51.png" alt="" /> </p>
<p><img src="https://pic.imgdb.cn/item/63761ef616f2c2beb175ea44.png" alt="" /> </p>
<p>最后就可以获取到flag了</p>
<p><img src="https://pic.imgdb.cn/item/63761f4716f2c2beb176598d.png" alt="" /></p>
<h1>🌓附件</h1>
<p>patch前: <a href="https://cowtransfer.com/s/95ff6151eeca4e">https://cowtransfer.com/s/95ff6151eeca4e</a>
patch后: <a href="https://cowtransfer.com/s/93bf4585f4f240">https://cowtransfer.com/s/93bf4585f4f240</a></p>