ex_1.txt

解三次方程源码

From: CTE
TO: You

key1 = 3, key2 = 777(11 0000 1001,the low 8 bits should be 9(0000 1001) and the next 8 bits should be 3(0000 0011), the other 16 bits can be random 0 or 1.For instance, 1000 0000 0100 0011 0000 0011 0000 1001 is also OK.). key3 = -1, key4 = 45.

process_keys12 is used to modify the value of dummy. key1+*key1 is the address of dummy, then "*((int *)(key1+*key1)) = *key2" give the value of pointer key2 to dummy. After that "start" gets the low bits of dummy and "stride" gets the next 8 bits.

*key1 must be 3, so that the address of key1 add its value can get the address of dummy, then we can modify the value. The low 8 bits(start) of dummy(the same value with *key2) indicate the beginning to get letters. And the next 8 bits(stride) give parameter to the function extract_message1 indirectly picking two letters every three and one in extract_message2.

process_keys34 modifies the returning addresses of itself. The returning addresses is modified to the same as the next call to "process_keys34". so that we can skip several lines of codes avoiding the call to extract_message1, that's just the clue.

When the first call to process_keys34 returns, it will executed from "msg2 = extract_message2(start, stride);", and the following source code.

The third key's value plus its address can offer the address of function process_key34's returning address, then the fourth key can modify process_key34's returning address to skip to the end of the next process_key34 by add its value with function process_key34's returning address.