We did it like it's written in other writeups, but we flipped bit 6 of byte 0x9e. It turned instruction "XOR QWORD PTR [rsi], rdi" (48 31 3e) at 0x9d to "JNO 0x4000de" (48 71 3e). It jumped 7 bytes after beginning of the input buffer, giving plenty of place to put shellcode.