Yeah, to AND EAX x2 for each four bytes is a little stupid. So I actually don't want to do that. Since when EAX is originally zeroed out, and then SUB'ed to the proper value then pushed, we already know it's value, it's only a matter of figuring out which values to sub from the new EAX to get to the next four bytes. You should only have to zero it out once.
As for the tutorial, that technique is similar, but I want this more like a POC for non-SEH, ASLR etc protected things. When this works POC, then we would take it to the next level and make it work as a standard module with all the other goodies.