Re: Alphanumeric Shellcode Encoding and Detection

["Avraham Schneider" <avri.schneider () gmail com>]

On Tue, Aug 5, 2008 at 11:31 PM, Avraham Schneider
<avri.schneider () gmail com> wrote:
> Oops - that is not correct - it will only work when the second and
> third bits of ESP are 0
>
> :-) I was to quick on the send button.
>
> EAX is basically XOR's with the length of the string, and instead I
> need to increment it by the length of the string... I'll have to come
> up with a better solution... (I'll probably have to resort to
> patching... but I was looking for a quick and dirty fix)
>
> If anyone comes up with a solution for this before me, I'll buy them a
> Shawarma next time they're in Israel ;-)
>
> Regards,
> Avri
>
> On Tue, Aug 5, 2008 at 7:00 PM, Avraham Moshe Schneider
> <Avraham.Schneider () aladdin com> wrote:
> > I fixed a couple of bugs -
> >
> > 1. The srand() function was called after calls to rand() - causing a fixed string in the decoder which an IDS could 
> > signature on
> > 2. Case of ESP register pointing to the head of the decoder was not handled, it is fixed now, but needs to be 
> > randomized. Right now, in the case of ESP pointing to the shellcode, the following fixed string would exist at the 
> > head of the decoder routine: "TX4640"
> > This translates to:
> > _asm
> > {
> >        push esp;
> >        pop eax;
> >        xor al, 0x36;
> >        xor al, 0x30;
> > }
> >
> > The '6' and the '0' can be any alphanumeric byte where the first is the second+6 or vice versa.
> >
> > You may add alphanumeric NOP instructions in between and change the diff between the bytes accordingly.
> > The diff between the two XOR values should be the length of the resulting string.
> >
> > I used the EAX register, as XOR'ing it with an immediate value is alphanumeric.
> >
> > Regards,
> > Avri
> > **********************************************************************************************
> >
> > The contents of this email and any attachments are confidential.
> > It is intended for the named recipient(s) only.
> > If you have received this email in error please notify the system manager or  the
> > sender immediately and do not disclose the contents to anyone or make copies.
> > ** eSafe scanned this email for viruses, vandals and malicious content **
> >
> > **********************************************************************************************
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

Attachment: alnum_decoder_encoder.c
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/