System Call Failure

An interesting feature of Mac OS X is that a successful system call will return to the address 4 bytes after the end of 'sc' instruction and a failed system call will return directly after the 'sc' instruction. This allows you to execute a specific instruction only when the system call fails. The most common application of this feature is to branch to an error handler, although it can also be used to set a flag or a return value. When writing shellcode, this feature is usually more annoying than anything else, since it boosts the size of your code by four bytes per system call. In some cases though, this feature can be used to shave an instruction or two off the final payload.