Vulnerability Development mailing list archives
Re: xor encoding / decoding of shellcode
From: "Ryan Permeh" <ryan () eEye com>
Date: Wed, 28 Nov 2001 10:23:53 -0800
your general layout seems to be correct. this is based off of x86 ideas, but asm is asm is asm, and everyone is basically the same. first thing, when building the shellcode, find your xor byte(so that no shellcode bytes^xor byte == 0). next get the size of your shellcode. now xor the shellcode by the xor byte, and save it as a string(below referenced by xorencodedshellcode) then just make your decoder point past your decoder to the start of your encoded shellcode and loop an xor operation * the number of shellcode bytes you need to decode. at the end of the loop, the next byte should be the beginning of your now xor decoded shellcode. so it does look like this ( in a simple, best case scenario): [nops][xordecoder][xorencodedshellcode][ret] you ret hitsz the nops, or directly to the xordecoder, depending on how exact you can get it, and the xordecoder will decode then step to the shellcode. good luck. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "KF" <dotslash () snosoft com> To: <vuln-dev () security-focus com> Sent: Wednesday, November 28, 2001 9:31 AM Subject: xor encoding / decoding of shellcode
I have been working alot with asm lately on the ppc platform... my goal has been to develop shellcode for several different situations... I have come up with shellcode that writes an xinetd.d entry and one that binds a shell to a port as well as a few other typical shellcode examples. The problem that I am having is that alot of my instructions cause null. I have a technique to remove some of them but the method I use takes 2 instructions for every one with null. I have been trying to figure out how the stack needs to be layed out in order for me to xor encode / decode my shellcode. I imagine it is similar to <nops><xor decoder><xor encoded shellcode><return addy>. At the moment I am stuck on how to place a xor encoded string on the stack and then use it as executable code. In essence I need to learn how to write a xor decoder does anyone have any tips on this technique? I am trying to come up with something similar to ADMmutate that works on power pc or other RISC processors. -KF
Current thread:
- xor encoding / decoding of shellcode KF (Nov 28)
- Re: xor encoding / decoding of shellcode Ryan Permeh (Nov 28)
- Re: xor encoding / decoding of shellcode blitzkrieg (Nov 28)
- Message not available
- Message not available
- Re: ppc asm KF (Nov 29)
- Message not available