;Kitteh, it's like 'cat', but limited
; - For one, the filename it 'cats' is hardcoded
; - There are also no arguments
; - The filesize/buffer is limited to about 1Kb
; - There may be an interesting vuln...

section .text
global _start

_start:
mov eax, 5		;Read from file
mov ebx, file		;file name
mov ecx, 0		;
int 0x80		;make the call
mov eax, 3		;Read from the buffer
mov ebx, 3		;
mov ecx, buffer		;memory start address
mov edx, len		;size of buffer
int 0x80		;make the call

call print	;routine to print the data to STDOUT

cmp eax, 1337	;was the result elite
je elite	;if so, do elite stuff
mov eax, 1	;otherwise quit (eax = 1)
int 0x80	;make the syscall

print:
sub esp, 16	;make room for buffer (this is big enough right?)
xor ecx, ecx	;init incrementor
store:		;routine to get data from main mem to stack mem
mov al, [buffer + ecx]		;get character
mov byte [esp + ecx], al	;store it in stack buffer
inc ecx				;increment to next char
cmp al, 0			;is it null?
jne store			;if not, keep going
;print from stack
mov edx, ecx	;ecx already has length, but needs to be in edx for syscall
mov eax, 4	;write
mov ebx, 1	;STDOUT
mov ecx, esp	;location of start of text
int 0x80	;make the call
add esp, 16	;return to where EIP was
ret

elite:
mov ecx, 3431675667	;magic address
jmp ecx			;go there (and likely segfault)

section .data
file	db	'file.txt', 0

section .bss
buffer	resb	1024
len	equ	$ - buffer