From 180549d8447b54e5aaf247d7265fb747b07ce7a8 Mon Sep 17 00:00:00 2001
From: minoplhy <c@3qx.nl>
Date: Fri, 16 May 2025 13:31:53 +0700
Subject: [PATCH] THCTT24_running_number: init

---
 THCTT24_running_number/bruteforce.c           |  38 +++++++++++++++++
 .../original/running_number                   | Bin 0 -> 16152 bytes
 .../rewrite/running_number_rewrite.c          |  39 ++++++++++++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 THCTT24_running_number/bruteforce.c
 create mode 100755 THCTT24_running_number/original/running_number
 create mode 100644 THCTT24_running_number/rewrite/running_number_rewrite.c

diff --git a/THCTT24_running_number/bruteforce.c b/THCTT24_running_number/bruteforce.c
new file mode 100644
index 0000000..1d4d55c
--- /dev/null
+++ b/THCTT24_running_number/bruteforce.c
@@ -0,0 +1,38 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+// This is da bruteforce code to get the right random seed
+
+int main(void) {
+    int seed;
+    long sum;
+    int rand_var;
+    int i;
+    int md5_answer;
+    
+    for (seed = 0; seed <= 1000000000;seed++) {
+        srand(seed);
+        sum = 0;
+        for (i = 0xa07; i > 0x7e7; i--) { // 2567 2023
+            if (i % 3 != 0) {
+                rand_var = rand();
+                sum = sum + rand_var;
+            }
+        }
+        printf("%u\n", seed);
+
+        if (sum == 0x5aad48bfa6) { // 389454282662
+            printf("THCTT24{");
+            for (i = 10; i < 0x4a; i++) { // 74
+                if ((i & 1) == 0) {
+                    rand_var = rand();
+                    md5_answer = rand_var % 0x10; // 16
+                    printf("%x", md5_answer);
+                }
+            }
+            puts("}\n");
+            printf("Seed -> %d\n", seed);
+            break;
+        }
+    }
+}
\ No newline at end of file
diff --git a/THCTT24_running_number/original/running_number b/THCTT24_running_number/original/running_number
new file mode 100755
index 0000000000000000000000000000000000000000..e09140476580055a21e01e61939ae3b9c366d37e
GIT binary patch
literal 16152
zcmeHOYitzP6~40$;FQN2!oxg@M+r!#try#XF{G6BW6ik2K*3IFlytJ*UE5Rb!`Yn$
zn?hpbP}Q}Nh*YIblt{EclD0`z(nb|Rjk1OmNLmqtR0*k7WuZn{3z|A=TG7_9J!kGY
z<Jn=YM)^^x)m&@$yXW!UbLY&RnLFNlpAPMA^C^npQYOA6P&!p1H9;~Q+)5RIplB2e
z;k!z#6>~wp&(cYIPy$$Gx$Y~*a?+OpBCirFC2);Y3r6lCBJyS{mGh*9QP6Q9Zw{JB
zcH`^RPe!)e@l+&3QLS$qr%7aV@-R2!HPT^xM=|zMynaIFp@_T*;!P0GM(hyU2|1sb
z6Z|w%KHaE-4U1}h3*qJ+B%T{v$)6EpU^(!<8T~Zz_7QKLYBeL=_ywsJj2!PPz{9+J
z(!!^CKgFBvJk(PD87Zw|W8CO&*t{_wt%)1S>_E*xV?#~D=0GMDsJFU+{lXYHrgrV=
z622jkLml(6z7#%~R<vIz>^yhv@Q+`<(YEWo#{G{E46dlZ!fhZ2eXyWE4+)g9{u%h7
zk39b4P?I{utFbEy#Muh=aY+ed5_D<_eKqJx`G0X1{e!dUzXN&|KJJ3Ux>WnmgI;wz
zgZvPDO8G0G$JqB2U5^Ze^&TS`jvGf}Lf7F$M)ZssPMdlnY$Qb{9Zp6?f7Z-^(a5AC
z+qUVMNI2Oe`qM_z>=8)76Wt(o?QU;w(dz?S?OJ_ci(TKeS?KMZ9eOmDj`bQDGnVe`
zXo;tivCeRJ93%H8Qb~%eOV^T)a0os)zh%~+0#~uD%Ok^j3siYLuP}^-c%^rcF1yOO
zA4knsNq*zm=U|xlL`2dB-*@<W?_Vqp*Xh2(`dZT02BqEBlbqWr^*9DG_gpSJ^v-cR
z?$FC|D;d`vdX9mX35OoXyIq2^hPQRRHn@}rWexRs9dW4$${Ome`#l*d9eR31SQgcx
zheUeC%Yc^wF9Ti%ybO35@G|g!p8;+7R=GAh=hqvB&`#t`UtwGue!KjFecXjD?}DkY
z{<rY$uL?p9<vz4eP86W5KaVm_2`9%b`5ekP6`agj^3PGmsoUfkOa2MUIAxnWZOM;<
z+;a+KtJM9uedOxbwUHaz@Smpkb%yG4b?;~=cU%EuVVNIXKkf<mtDdoZu|HsY613XM
zIp09ocH3MAhx1`T9?t!R34hfPI$t0J|0c_S%XWkfceRlzZS2FH+Su(fO}VIDy=yLo
z2HvCw$_o=c{;Jj){$KrT|2eed4wyyu^Ih8Tju)`1jl6Fz&_;Ls5rq5(IIMgWzAn!B
z9mvY#5ZjKA{K>;$>;euXUxl6@U4$)MI*a|xzk0V&&`yT(+Q>yP^*K#vz%&}lk6g+>
zhfbG5Q^>d!nw|$U=9`V99n)H5Ofzzibai!UV|i5@IX`lF>~__L^CRO*P8r`YHuCO?
zYv%m?VWfXwQ$kb2iD~8dvFQ(BO8oR&+S!-i(ti3Vw5e?iO=V4pe-mCd?5<S+4Wi-n
z{AO@8G(9|_oXBPC^VOh-P~#A4EWbuMKYYUvA-iskhHhC0@iS*5zqwN=42Pzb;bYV7
zPo0Ah-<8(<55aKL4~i3{coq~^PTqmxXpPgNk%`Cd6)yu`2D}V-8SpaTWx&gTmjN#W
zUIx4jcp3Pl8BpN2qD~_b+pdcBQPHWjbavKn{-#(zAdZPWDYY#g?iI@FvWKgoL40YS
z{!5`?0zNiXD7*+52ZYyS(e+WG@CG3M=7~i)vR^0z70T)b^U6;t^D0ok20kkIJAbz;
z?JvYS@*jeDPe5HPs%TqO`DOq7!{tL_=c<Q4w`rZ#4DvDlS@3iIo`kU;gU|C2uLl1+
z(X^=ITfUZsbIYm~=n^Qr;$^_gfR_O;16~Ha40svvGT>#v%Yc`G|LqL$`aWLI$7}Uk
z=&%;>;n9LZ_^r(<KcYpJD@o>cgR4pAH>Oo2^ZG%2&%(m?zuhgQP(F>n_(I_|c;oo;
z2!+=IUM4%Q_4|c1i}{3=gv$sSh$iy1UJ!q1#xfwme*fe(ek(|SngX+af;z_i&XFIl
z0p$4qD#+sjv*ijub;{!-KKznv$((0+-L&Lq$o>zKx!)A#zYe^9+#R@q#z7n5BZNJK
zhX|R+>qB?7v}{+aTVvfuIH}fc3e*Q`YwEXbpelRci<qbT#770U1@n$;Uyo9vRC0I#
zu$2E=(EEg6<Xrtj9_puD`c0(g>jFfpw8OU|R*A--l=(d3YHUR;6FknPRfwZd!S?w&
zWBs=+|E2bNTh_k<l~Vnm?YQs<Z$&&HZmZnF43=u=qUFC_xX<r<7Hx^WzMfmTVfk0u
z*AMG&LxpYutg>(!Bt$LJNa2vBUn#1C#l||&mujaO^c7;Ioo8mXqrb00@coDNduM5<
zdltP(?YsMP9P}zT>cCT=U+h~ccs#S|CDg+oljyc3UITpvjFVuHJtZCi{Sp`tykExp
zrxci8Cx0GS%zBgj2Wh>v^}i`Fp11VuHG{tgJ@(Vx&Ih1ZXWZ<X0yjkNgRO+h8qhEC
z!QJ0=T|{PyD-J}`W?di!%h<!+hHk>Y0YQ;5vpqe5h?rUOuA2!xf{Wg9HGMRt_r_D*
z;kX_(Q|XKz&JKu3D$yU0nXzb~wzLPX)i?BTIvpO=V@WeTD0<T2L`;un6Ny2fI3yiB
z%_7%yHkmY%y?Qd6=#HhKXS&|Dzo{dnhxWAUu;{+^YkQhH+FL*k8!YsYMpmtLztDH>
z-rL-?Ti@H(b|BQLcQ!Te4gtfxUm(bv0RF>rf80=D`{FhMJr)g{VPPE}Z7nFWTl)}-
zG>|}G$Q=XFk>c$GdNh;L`(Wz=ZY^lv3tmwpsb@2>C`5t{4Z7Z)$q?7t=TN-4!49+)
zJYk;#CkQt%l-!k2ypO`BTStbcL5M(RFkyzf0nN0;KCZz&idec|1d=H;7U)f81O4e#
ze=KbdI#k_R19sOKQBpNEx7Xk(v)uc_nLZJS4kjUlL^CZdhhpiBkxCW`I@r>&co+#(
z>yMivV0AM9)j)3wL^C!3-#FU9DP^6UK&+3(S6>twVM$WuK$8rvLxga`h(P$1i7i9t
z@FWKy_aXp8Jpm)wdD(sHI?lV`(u8M?ES2<JWaN1lnJr(gBR&Kloa->Zk@$=%*qnvu
zL9A<lij#kk_>B1fd1vAKB<t|G>g4ltol#{+LN_1xv-}<APTYT<Pcm|Ro=>{_9|k_o
zC7I9jO~!IeE)?t|R+-Q9J_B@k$js;YD<jWW!Nn@n9E;*fsNvj@`8*$FTuz?cfA(X1
z3hX%7Wcf7BCmDmpclV#v;v`fsr_AU1E@O@yIllY&zeoIL^5gk4<A8&YIdk)W06NSG
zw{Jgp==sC*a%#rvE7uWUgpZT25|8l-baE7atTDa<HYb0G42;}gZh~dTGcG<q-x-&4
zVyOX+%kBNr#pn4ABhGi7#XbIi1xD<@9Y!T@LLUF5y(fQfgTcvP$2>ybUpX89nv1`W
zc#N+xk&yGo>OVjQ)~;ID5bF4SlJ{Y{{aI$r1IO>+^E~`|4YoEj-lQ}mGyh{S;Mk+v
zmOVeV_tj!@py2g`g?W4)Uj-eyFrW9o<u;<X5Y-awZ{{=J0gIE*@2h#@2W_UTFpqIA
zkez&<*H+g`f9@wY!#tK302y`Mf1W=!65s8Qv7BWw#V2>$#QZ8-BP+~zqCIvUz6Ytn
w9ChroV8izX?hoI8@%rGtJLsZvvy>imHO_I_7pK>y_}lTp24$6t;1b2Z0h`v8$p8QV

literal 0
HcmV?d00001

diff --git a/THCTT24_running_number/rewrite/running_number_rewrite.c b/THCTT24_running_number/rewrite/running_number_rewrite.c
new file mode 100644
index 0000000..1a55114
--- /dev/null
+++ b/THCTT24_running_number/rewrite/running_number_rewrite.c
@@ -0,0 +1,39 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+// This is rewrite of 'running_number' with help from ghidra
+// while ensuring the integrity of program flows and so on
+
+int main(void) {
+    int seed;
+    int rand_var;
+    int i;
+    int md5_answer;
+    
+    printf("Time: ");
+    scanf("%u", &seed);
+    srand(seed);
+
+    long sum = 0;
+
+    for (i = 0xa07; i > 0x7e7; i--) { // 2567 2023
+        if (i % 3 != 0) {
+            rand_var = rand();
+            sum = sum + rand_var;
+        }
+    }
+
+    if (sum == 0x5aad48bfa6) { // 389454282662
+        printf("THCTT24{");
+        for (i = 10; i < 0x4a; i++) { // 74
+            if ((i & 1) == 0) {
+                rand_var = rand();
+                md5_answer = rand_var % 0x10;
+                printf("%x", md5_answer); // 16
+            }
+        }
+    puts("}");
+    } else {
+        puts("No Flag");
+    }
+}
\ No newline at end of file