pwnable.kr [Toddler's Bottle] - coin1

Mommy, I wanna play a game!

(if your network response time is too slow, try nc 0 9007 inside pwnable.kr server)

Running at : nc pwnable.kr 9007

游戏规则如下：

---------------------------------------------------
-              Shall we play a game?              -
---------------------------------------------------

You have given some gold coins in your hand
however, there is one counterfeit coin among them
counterfeit coin looks exactly same as real coin
however, its weight is different from real one
real coin weighs 10, counterfeit coin weighes 9
help me to find the counterfeit coin with a scale
if you find 100 counterfeit coins, you will get reward :)
FYI, you have 30 seconds.

- How to play -
1. you get a number of coins (N) and number of chances (C)
2. then you specify a set of index numbers of coins to be weighed
3. you get the weight information
4. 2~3 repeats C time, then you give the answer

- Example -
[Server] N=4 C=2    # find counterfeit among 4 coins with 2 trial
[Client] 0 1        # weigh first and second coin
[Server] 20         # scale result : 20
[Client] 3          # weigh fourth coin
[Server] 10         # scale result : 10
[Client] 2          # coun
terfeit coin is third!
[Server] Correct!

就是在30秒内，以给定的输入次数完成游戏 100 次， 即 100 次找到 N 枚硬币中的 1 枚次品。

对于输入下标对应的硬币是否合格，主要看返回的weight末位数字是 0 （合格）还是 9 （含不合格）就可以了；直接输入当然不现实，可以简单地用二分法处理，连接服务器并跑出 flag 。人生苦短我用Python :P

这里还有一个问题，笔者一开始通过 pwn 库写脚本远程连接该服务器，无论怎么改进算法，最多跑出 8 次就到 30 秒的时限。所以如果不是在服务器本地跑（HOST = 0）一般是肯定来不及的，这里网络延迟的影响远远大于算法效率。

所以我们得先登录到pwnable.kr，任选一个之前连接过的用户登录，到 /tmp 目录下创建自己的目录，放上脚本即可。另外由于服务器上没有 pwn 或者 zio 库，只能手打 socket 连接：

import re
from socket import *

# func: get output str of numbers between inv
def getInv(inv):
invList = []
split = ' '
for i in range(inv[0], inv[1]):
invList.append(str(i))
return split.join(invList)

# server addr info
HOST = '0'  # local at pwnable.kr
PORT = 9007
ADDR = (HOST, PORT)
BUFSIZE = 1024

clientSocket = socket(AF_INET, SOCK_STREAM)
clientSocket.connect(ADDR)

# start: [Server]: N=? C=?
startPattern = re.compile(r'^N=(\d*)\sC=(\d*)$');
# step: [Server]: ***0 (qual)
qualPattern = re.compile(r'^(\d*0)$');
# step: [Server]: ***9 (unqual)
unqualPattern = re.compile(r'^(\d*9)$');

curInv = None  # current interval
preInv = None  # previous interval

while True:
data = clientSocket.recv(BUFSIZE)
print data

match1 = startPattern.match(data)
match2 = qualPattern.match(data)
match3 = unqualPattern.match(data)

if match1:  # match startPattern
curInv = (0, int(match1.group(1))/2)
preInv = (0, int(match1.group(1)))
print getInv(curInv)
clientSocket.send(getInv(curInv) + '\r\n')  # send numbers to HOST

elif match2:  # match qualPattern
preInv = (curInv[1], preInv[1])
curInv = (preInv[0], (preInv[0]+preInv[1])/2 + (preInv[0]+preInv[1])%2)
print getInv(curInv)
clientSocket.send(getInv(curInv) + '\r\n')

elif match3:  # match unqualPattern
preInv = curInv
curInv = (preInv[0],  (preInv[0]+preInv[1])/2 + (preInv[0]+preInv[1])%2)
print getInv(curInv)
clientSocket.send(getInv(curInv) + '\r\n')

elif 'wrong' in data or 'error' in data or 'bye' in data:
break

clientSocket.close()

最后终于能在时限内跑出 flag ，结果如下：

...
Correct! (99)

Congrats! get your flag
b1NaRy_S34rch1nG_1s_3asy_p3asy

time expired! bye!