看一下题目
连上去看一下
---------------------------------------------------- Shall we play a game? ----------------------------------------------------You have given some gold coins in your handhowever, there is one counterfeit coin among themcounterfeit coin looks exactly same as real coinhowever, its weight is different from real onereal coin weighs 10, counterfeit coin weighes 9help me to find the counterfeit coin with a scaleif you find 100 counterfeit coins, you will get reward :)FYI, you have 60 seconds.- How to play - 1. you get a number of coins (N) and number of chances (C)2. then you specify a set of index numbers of coins to be weighed3. you get the weight information4. 2~3 repeats C time, then you give the answer- Example -[Server] N=4 C=2 # find counterfeit among 4 coins with 2 trial[Client] 0 1 # weigh first and second coin[Server] 20 # scale result : 20[Client] 3 # weigh fourth coin[Server] 10 # scale result : 10[Client] 2 # counterfeit coin is third![Server] Correct!- Ready? starting in 3 sec... -N=536 C=10参考了一下别人的思路,大概意思是说
一堆硬币,有一个假币,重量为9,而其他为10,要通过给定的C次机会内找到假币。
一共要在30s内找到100个假币,也就是完成100次游戏,最终会给出flag。二分法处理就行了,又是一道coding。因为网络延迟的问题,所以我们不使用远程连接,
直接用其他题目的账号登录上去,在/tmp目录下写个py脚本。
但正在我想去写脚本的时候
已经连了一个小时了,死活连不上,连上了刚cd 到temp目录下,又卡住了,淦!
今晚看来是不能完成了,先放一下别人的解题思路吧
import socket
import sys
import res = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("localhost", 9007))def get_numbers(ss, ee):str_list = []for n in range(ss, ee):str_list.append(str(n))return " ".join(str_list)start = 0
while True:data = s.recv(1024)print datapattern1 = re.compile("^N=([0-9]*) C=([0-9]*)$")match1 = pattern1.match(str(data))pattern2 = re.compile("^([0-9]*)$")match2 = pattern2.match(str(data))if match1:end = int(match1.group(1))fr = (0,end/2)sr = (end/2+1, end)s.send(get_numbers(fr[0], fr[1])+"\n")elif match2 and len(match2.group(1)) > 0:w = int(match2.group(1))if (fr[1] - fr[0])*10 == w:fr = (sr[0], (sr[0]+sr[1])/2+(sr[0]+sr[1])%2)sr = (fr[1], sr[1])else:sr = (fr[1], fr[1])fr = (fr[0], (fr[0]+fr[1])/2+(fr[0]+fr[1])%2)sr = (fr[1], sr[1])s.send(get_numbers(fr[0], fr[1])+"\n")get_numbers用于生成索引序列,比如2 3 4 5,满足格式需求。后面就是简单的
正则匹配,取出服务器的结果,if/else分支根据当前的weight总和判断假币在左侧
还是右侧,如此二分查找下去最终可以找到假币索引。
作者-----:https://r00tk1ts.github.io/2018/03/10/coin1/
#!/usr/bin/python
__author__ = "TaQini"from pwn import *
import redef getNC():r = target.readline() #number and changesNC = re.findall("[0-9]+",r)return int(NC[0]), int(NC[1])def guess(start, end):coin = ""for i in xrange(start, end+1):coin += str(i) + " "# print "coin " + cointarget.sendline(coin)weight = target.read()# print "weight " + str(weight)return weightdef binsearch():for i in range(100):N, C = getNC()cnt = 0# print "N= " + str(N) + " C=" + str(C)Left = 0Right = N - 1while (Left <= Right):Mid = (Left + Right)/2# print "guess " + str(Left) + "-" + str(Mid)cnt += 1if cnt > C:# print "Hit!"weight = guess(Left,Mid)breakelse:weight = guess(Left,Mid)# print "trial= " + str(cnt)# print "and C= " + str(C)if (eval(weight) + 1) % 10: # fake coin not hereLeft = Mid + 1else:Right = Midprint "hit!",(i),target = remote("127.0.0.1",9007)
target.read() #rule of game
binsearch()
print target.read()
作者----https://blog.csdn.net/SmalOSnail/article/details/53129001
import time
from pwn import *conn = remote('0', 9007)
conn.recv(10024)
for _ in range(100):line = conn.recv(1024).decode('UTF-8').strip().split(' ')print(line)n = int(line[0].split('=')[1])c = int(line[1].split('=')[1])left = 0right = nfor _ in range(c):guess = ' '.join(str(left) for left in range(left, int((left+right)/2)))conn.sendline(guess)output = int(conn.recv(1024).decode('UTF-8').strip())if (output % 10 == 0):left = int((left+right)/2)else:right = int((left+right)/ 2)conn.sendline(str(left))print(conn.recv(1024).decode('UTF-8'))
print(conn.recv(1024).decode('UTF-8'))
conn.close()
作者----https://www.rootnetsec.com/pwnable.kr-coin1/ (讲解了一些算法思路)
溜了溜了
