Re: pen testing & obfuscated shell code

["Don Parker" <dparker () rigelksecurity com>]

Hello Karsten, I see upon re-reading my comments below that they are a little confusing. 
What I meant is that you can substitute the 0x90 for say 0x41 (which equates to "A") Yes 
you are also quite correct, as well you can also use 2 byte opcodes. 
 
Cheers! 
 
Don 
 
------------------------------------------- 
Don Parker, GCIA 
Intrusion Detection Specialist 
Rigel Kent Security & Advisory Services Inc 
www.rigelksecurity.com 
ph :613.249.8340 
fax:613.249.8319 
-------------------------------------------- 
 
On Feb 12, Karsten Johansson <ksaj () penetrationtest com> wrote: 
 
In-Reply-To: <200402101324.i1ADOEFc005524 () webmail2 magma ca> 
 
Greetings, 
 
> There is no shortage of  
> 1 byte functions for use, problem is to make it still works after.  
 
I made a paper about a similar topic in 1993 which is available here: <a href='http://
www.penetrationtest.com/computer_viruses/Byte%20Substitutions%20for%20Intel%
20Opcodes.pdf'>http://www.penetrationtest.com/computer_viruses/Byte%20Substitutions%
20for%20Intel%20Opcodes.pdf</a> 
 
The story behind this (which may be useful to those looking for new ways to make nop 
sleds) is that there are at least 2 ways of producing the same opcodes on Intel systems. 
 
As an example (and the document is a huge list of examples) is: 
 
  ADD AX,BX can be either 03h C3h or 01h D8h. 
 
All of the examples that I put in the paper are 2-byte opcodes, but if you follow the 
method I did for finding these opcode equivelants, a nice list of single-digit opcodes 
can probably be found. I didn't feel like making a thorough list of every possible intel 
opcode, although I may do this one day. 
 
Incidentally, I did this experiment when I was playing with virus encryption engines, 
and then later for watermarking binary executable files, and then later again as a form 
of stego using binary executable files.  Nice to see there may be yet another use for 
this idea. 
 
> It is simple to just  
> use an ascii character as well,  
 
Not true.  All ASCII characters result in opcodes.  If you were to do this, the system 
will probably crash.  Besides, if this worked, the concept of a nop sled wouldn't be 
necessary in the first place. 
 
Laters, 
    Karsten Johansson 
    www.PENETRATIONTEST.com 
 
--------------------------------------------------------------------------- 
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection 
 
Protect your network with the comprehensive security solution that 
integrates six applications for ease of use and lower TCO. 
 
Firewall - Virus protection - Spam protection - URL blocking - VPN 
- Wireless security. 
 
Download 30-day evaluation at: 
<a href='http://www.astaro.com/php/contact/securityfocus.php&apos;>http://www.astaro.com/php/
contact/securityfocus.php</a> 
---------------------------------------------------------------------------- 
 

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------