Re: Shellcode

[Dave Aitel <dave () immunitysec com>]

If you choose your hashing algorithm correctly, I bet you can use ONE 
byte hashes too. Given N sets of function names S[0] to S[N] is there a 
hash function H that for all sets in S can differentiate between them 
into an 8 bit space and can also differentiate between module names 
M[0]-M[N]? What about 4 bits? :> Then you get to minimize the size of 
the hash that can do that. . .

Surely there's a Phrack article here somewhere. :>

-dave


Isaac Dawson wrote:
> Hi Pedro,
> You may be better off creating a hash table of function names and 
> inserting hashing code into your shellcode. That is of course if you 
> are looking up a lot of strings/function addresses etc. Although it 
> may not be the best solution I find it really easy to read and look at 
> to create string/hash section in your shellcode (I put mine at the 
> bottom of the code). So we have something like:
> startup:
>   call fwd
>   inc ebx
>   inc ebx ; now we have the exact address to the __emit junk.
>   mov [ebp+someoffset], ebx ; store our address on the stack so we can 
> work with it easier
>
> fwd:
> call get_data_offset
>
> get_data_offset:
>   pop ebx ; this gives our current location due to popping the last 
> return address from the stack
>   ret
>   __emit(your stuff)
>   __emit(some more of your stuff)
>
>
> Look around the net for hashing algorithms there are plenty out there. 
> (Some better than others!).
> Or just create your own its not too hard and you can get it really 
> small, 2 bytes is better than 4 :).
> Hope this helps,
> -Isaac
>
> On 11/30/05, *Alexander Sotirov* <asotirov () determina com 
> <mailto:asotirov () determina com>> wrote:
>
>     Pedro E wrote:
>
>     > LibraryReturn:
>     >       pop ecx                         ;get the library string
>     >       mov [ecx + 10], dl              ;MY PROBLEM is this line I
>     don't
>     > have the right permissions to modify the NULL value and finish
>     the string
>     >       mov ebx, 0x79470221             ;LoadLibraryA(libraryname);
>     >       push ecx                        ;beginning of user32.dll
>     >       call ebx                        ;eax will hold the module
>     handle
>     >       jmp short FunctionName
>     > xxx
>     > ..
>     > ..
>     > GetLibrary:
>     >       call LibraryReturn
>     >       db 'user32.dllN'
>
>     Just put the string on the stack:
>
>     push 0x5f5f6c6c              ; 'll__'
>     push 0x642e3233            ; '32.d'
>     push 0x72657375            ; 'user'
>     call LibraryReturn
>
>     LibraryReturn:
>         lea ecx, [esp+4]            ; esp+4 points to the string
>     "user32.dllXX"
>         mov [ecx + 10], dl        ; the string is on the stack, so you can
>     write the null terminator
>
>
>     or even better:
>
>     xor eax, eax
>     mov ax, 6c6c
>     push eax                          ; 'll\0\0'
>     push 0x642e3233            ; '32.d'
>     push 0x72657375            ; 'user'
>     call LibraryReturn
>
>
>
>     Alex