Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xor encoding / decoding of shellcode

From: blitzkrieg <nyse () inwind it>
Date: Wed, 28 Nov 2001 20:22:09 +0100
On Wed, Nov 28, 2001 at 12:31:54PM -0500, KF wrote:

with null. I have been trying 
to figure out how the stack needs to be layed out in order for me to xor
encode / decode my shellcode. 
I imagine it is similar to <nops><xor decoder><xor encoded
shellcode><return addy>. At the moment 
I am stuck on how to place a xor encoded string on the stack and then
use it as executable code. 
In essence I need to learn how to write a xor decoder does anyone have
any tips on this technique?


Perhaps I'm going wrong... but in AT&T syntax you can try something
like this. I think on ppc is the same
        
        [...]
        jmp     encoded
decoder:
        pop     %esi
        [...]
        xorl    yourkey, 0xYY(%esi)     # where YY is the offset of the
                                        # words that you've encoded
        [...]
        jmp     shellcode
encoded:
        call    decoder
shellcode:      
        [...]
        your shellcode
        [...]

bye bye
                                --blitzkrieg
Previous By Date Next
Previous By Thread Next

Current thread: