Decompile the program with [https://dogbolt.org/](http://). This is the relevant code in Ghidra:

```
void vuln(void)

{
int iVar1;

key = 0;
srand(0x539);
iVar1 = rand();
printf("Your Guess : ");
fflush(stdout);
__isoc99_scanf(&DAT_001020cb,&key);
if ((key ^ iVar1 + 0x1467f3U) == 0xcafebabe) {
puts("Correct! This is your flag :");
system("cat flag.txt");
// WARNING: Subroutine does not return
exit(0);
}
puts("Wrong, Try again harder!");
return;
}
```

If you look it up, *srand* is a function that sets the seed for randomness in a C program. So, we can use srand(0x539) in our own program and calculate what iVar1 is! Then, we can reverse the expression in the if statement to output the correct value for key.

Let's do a bit of math to reverse that expression:

key ^ iVar1 + 0x1467f3U = 0xcafebabe

Note that XOR, the ^ operator, is actually lower precedence in C.

Therefore, this equation is just

key ^ (iVar1 + 0x1467f3U) = 0xcafebabe

XOR both sides with key:

iVar1 + 0x1467f3U = 0xcafebabe ^ key

XOR both sides with 0xcafebabe:

(iVar1 + 0x1467f3U) ^ 0xcafebabe = key

*The above two statements works due to several properties of XOR, namely:
XOR is associative
XOR is commutative
a ^ a = 0
0 ^ a = a

Therefore, we can write our program to get the key:

```
#include <stdio.h>
#include <stdlib.h>

int main()
{
srand(0x539);
unsigned int a = rand();
printf("%u", (a + 0x1467f3U) ^ 0xcafebabe);

return 0;
}
```

It outputs 3682327394. Send this with ncat to get the flag!

TCP1P{r4nd0m_1s_n0t_th4t_r4nd0m_r19ht?_946f38f6ee18476e7a0bff1c1ed4b23b}