Buffer bomb nitro

I am working on a buffer bomb project for school and the last phase is called nitro.  The other phases made it so that the stack always started at the same position so that if I overwrite %ebp for example I could just use gdb to look up what it should be and replace it with my exploit code as a literal value.  However in the last phase the stack does not always start in the same position.  However I figured out how I can work this into my exploit code instead of using a literal value for restoring the contents of %ebp(which should when where all said and done contain the address of the beginning of the previous stack frame) I just incorporate a memory address calculation in with my exploit code in order to figure out where the previous stack frames %ebp(address) is at so I can restore it into the contents of the current %ebp so that when I return from the function it doesn't segfault.  The problem is that for some reason I am not doing the assembly portion right because it keeps segfaulting.  My assembly code for calculating where the previous frames stack pointer should be is as follows

leal 0x20(%ebp) , %ecx
movl %ecx, (%ebp)

What I think this code accomplishes is
    1.) add 0x20 to the current address of %ebp maybe this syntax is wrong maybe its taking what is in %ebp and adding 0x20 not the address of %ebp itself although my book says that is not how lea works

2.) moving the calculated value from step 1 into the contents of %ebp

I know for a fact that adding 0x20 to the memory address of %ebp gives me the desired address that I need because if I hard code that value it works fine but I don't know why my assembly is wrong could someone please help me

If you guys need the actual code I can post it