> For the complete documentation index, see [llms.txt](https://0xten.gitbook.io/public/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xten.gitbook.io/public/pwnable/toddlers-bottle/random.md).

# random

## Pseudo-random value without seed

First, let's analise the source of the challenge.

```c
#include <stdio.h>

int main(){
	unsigned int random;
	random = rand();	// random value!

	unsigned int key=0;
	scanf("%d", &key);

	if( (key ^ random) == 0xdeadbeef ){
		printf("Good!\n");
		system("/bin/cat flag");
		return 0;
	}

	printf("Wrong, maybe you should try 2^32 cases.\n");
	return 0;
}
```

The program is extremely simple, it initializes a random value using rand(), which uses a static seed, different from srand(), that reads an argument as the seed to do generate pseudo-random values. Therefore, we can generate the random number locally using rand().

After generating the pseudo-random value, the program XORs it with a user provided key, and if the output matches 0xdeadbeef, the flag is returned. If you know how a XOR work you also know they are reversible operations, which means a^b=c <=> (c^a=b and c^b=a). With that in mind and knowing the value of the pseudo-random number, we can XOR it with 0xdeadbeef to extract the key.&#x20;

## Final Exploit

```c
#include <stdio.h>

int main(){
    unsigned random = rand(0xdeadbeef); //static seed
    unsigned key = random ^ 0xdeadbeef;
    unsigned proof = key ^ random;
    printf("Random: %u\n",random);
    printf("Key: %u\n", key);
    printf("Proof: 0x%x\n", proof);
    return 0;
}
```

I used the code above to generate the correct key.

![](/files/d0BJSK1ibQZpRnCyc6kt)

![](/files/MoMjBM7r5YwZnrLzGA05)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://0xten.gitbook.io/public/pwnable/toddlers-bottle/random.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.