Re: Unencoded payload works fine, but encoded payload crashes.

[scriptjunkie <scriptjunkie1 () googlemail com>]

That is because an encoded payload will modify itself to decode its
inner payload. However, most compilers, and I assume MASM as well,
marks the code section of the executable as EXECUTE_READ but if you
want to modify that code directly, it must be writeable
(EXECUTE_READWRITE). You will need to call VirtualProtect on your
shellcode to mark the page with appropriate permissions first, or
somehow otherwise copy it to an RWX page.

Matt

On Tue, Jul 26, 2011 at 10:10 PM, Jordan Trover <shurimaxx () hotmail com> wrote:
> I didn't know where to ask for help on this, but I though here would be the
> best place to ask.
> I started learning MASM a few days ago, and I wanted to test executing some
> payloads from metasploit with masm.
> Here's the code: http://pastie.org/private/oyfaky8xttqllgfjlaopzg
> You can see there are two payloads there, the first one (commented) is an
> unencoded payload I generated with:
>               ~$ msfpayload windows/exec CMD=calc.exe EXITFUNC=none C
> This one works fine, but when I try encoding the payload (the second
> uncommented payload in the code) with:
>               ~$ msfpayload windows/exec CMD=calc.exe EXITFUNC=none R |
> msfencode -t c
> The compiled binary crashes when executing it. It seems to be because of a
> memory access violation. I loaded it into a debugger and the instruction
> where it crashes is : XOR DWORD PTR DS:[ESI+17],EAX
> But ESI is 00000000 at that moment.
> I hope someone could help me figure out how I can run the encoded payload
> just like I do with the normal unencoded version.
> Thanks.
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework



-- 
scriptjunkie
http://www.scriptjunkie.us/
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework