Dailydave mailing list archives

Re: add %ebx, (%esi)

From: Bee Binger <bbinger123 () yahoo com>
Date: Fri, 20 Jul 2007 08:21:31 -0700 (PDT)

Interesting replies...  I also didnt realize this was for mostly generating "shellcode", but with a little thought I 
could of probably figured this out.

"Berend-Jan Wever (SKYLINED)" <bjwever () microsoft com> wrote:

The number of variations of achieving the same thing is actually very 
large. It would be nice to be able to determine how many variations 
there are in total. I'm only interested in variations that don't use "nop" >>instructions that don't do anything 
useful. There must be a way to do 
it and prove that you've got all of them.

Cheers,

SkyLined


Do you actually think its possible to find *every* combination?  I have thought about it a bit since reading your email 
and if there are no size/performance/opcode restrictions then I think you could have an unlimited amount of 
combinations ( assuming we are using your last example about extending one instruction into multiple).   It would 
somewhat depend on what exactly you consider a nop instruction too.

Also if you move away from the basic instruction set into the "extended ones" ( i do not know the real name for all the 
multimedia and floating point ones), then you would have extreme problems trying to match them all.  


 Dave Aitel <dave () immunityinc com> wrote:

Which so far hasn't hurt us, since our shellcode doesn't use it. This
is very much a shellcode/proglet assembler.

 
I should have realized this point before, but it went right past me.

I added bt this morning, so that should work nicely for you now. For bonus >>credit I added bswap. :>.


gracias

We have been using a similar (though much slower) assembler for a few 
years now in all of our exploits (which is why I can finish an assembler in a >> week, rather than a month or two).


I was wondering this exact thing

Once the C parser is rewritten, I'll release it all as LGPL and you can fix it :>.


/me hides

I really like the idea of a web service for shellcode decoder creation. This was >> part of the original idea for 
the CANVAS World Service (which we're still going >> to do some day).


this would be amazing, especially if some of skylined ideas ( multiple instructions, setting fixed offsets to introduce 
alot of math instructions to break patterns) would be incorporated.

- -dave


       
---------------------------------
Pinpoint customers who are looking for what you sell.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

add %ebx, (%esi) Dave Aitel (Jul 17)
- Re: add %ebx, (%esi) Bee Binger (Jul 17)
  - Re: add %ebx, (%esi) Dave Aitel (Jul 19)
    - Re: add %ebx, (%esi) Berend-Jan Wever (SKYLINED) (Jul 20)
    - Re: add %ebx, (%esi) Bee Binger (Jul 20)
    - Re: add %ebx, (%esi) Mateusz Berezecki (Jul 20)
- Re: add %ebx, (%esi) Mateusz Berezecki (Jul 17)
- <Possible follow-ups>
- Re: add %ebx, (%esi) Bee Binger (Jul 20)