edb --run [binary]
Double press run. To search for JMP ESP, Ctrl-O, Jump Equivalent to ESP -> EIP, select first region, Find. As per usual, find a suitable place to store the shellcode, by referring to the registers. In Crosfires case, it looks like you can't store much at the ESP, only 7 bytes, so no shellcode can be stored there. We also notice EAX points to the start of the buffer ((setup sound ...), so let's store the shellcode after (setup sound , and use those 7 bytes at ESP to be first-stage shellcode to JMP to EAX + len((setup sound ). Overwrite EIP > JMP to a JMP ESP > JMP ESP > ADD EAX, 12 > JMP EAX > Shellcode.
Note on indirect offset jumping, jmp esp+20 is not possible, jmp [esp+20] loads the value at esp+20, which is not intended. Instead, lea eax, [esp+20]; jmp eax or sub esp, 20; jmp esp. https://forums.offensive-security.com/showthread.php?5745-crossfire-bind-vs-reverse-shell&p=59289#post59289
Note on exploiting crossfire server, run it as a standalone, not in edb, otherwise shell will not respond to commands. https://forums.offensive-security.com/showthread.php?5745-crossfire-bind-vs-reverse-shell&p=59289#post59289
Find crash point and EIP value then run: