DISCLAIMER
Because I'm lazy, this does not work if state->fptr == state->state (the fix is simple).
Last active
July 19, 2021 12:10
-
-
Save lightdiscord/a474427af99835197e64f95c3ce9a323 to your computer and use it in GitHub Desktop.
Retrieve last generated random value of rand()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #define OFFSET_RAND_IN_LIBC 0x3f840 | |
| #define OFFSET_UNSAFE_STATE_IN_LIBC 0x1ba5c0 | |
| int main(void) { | |
| srand(42); | |
| void *libc_base = (void*)rand - OFFSET_RAND_IN_LIBC; | |
| struct random_data *state = libc_base + OFFSET_UNSAFE_STATE_IN_LIBC; | |
| int value = rand(); | |
| printf("extracted value legit = %d\n", value); | |
| int dark_magic_value = (unsigned)*(state->fptr - 1) >> 1; | |
| printf("extracted value dark magic = %d\n", dark_magic_value); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment