__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int v4; // [rsp+0h] [rbp-18h] BYREF
int v5; // [rsp+4h] [rbp-14h] BYREF
unsigned __int64 v6; // [rsp+8h] [rbp-10h]
v6 = __readfsqword(0x28u);
sub_A3E(a1, a2, a3);
v4 = 0;
v5 = 0;
_printf_chk(1LL, "1337 input: ");
_isoc99_scanf("%u %u", &v4, &v5);
if ( v4 <= 0x1336 && v5 <= 0x1336 )
{
if ( v4 - v5 == 0x1337 )
system("cat /flag");
}
else
{
puts("Sowwy");
}
return 0LL;
}
There’s a simple code
v4, v5 is int (signed int 4byte)
but in scanf, format string is %u (unsigned) it doesn’t matter
key point is that v4, v5 is signed
when we input -1, -4920 (0x1338)
-1 - (-4920) = -1 +4920 = 4019 (0x1337)
so, input -1 -4920 we can get flag
❯ nc svc.pwnable.xyz 30001
1337 input: -1 -4920
FLAG{sub_neg_==_add}
