Writing ascii shellcode (\xcc)

[lists73 () skilltube com]

There was a question regarding ascii shellcode development and in particular, how to get the \xcc opcode. We had a 
similar problem a few weeks ago and we solved it with a well-known approach documented by Steve Hanna. The example 
below might help others as well.

Suppose we want create the following small shellcode (just an example):

int3
int3
int3
int3

The corresponding opcodes look like the following:

\xcc\xcc\xcc\xcc

These are definitely not printable characters. However, we can write them on the fly with the following loader code 
(does not contain non-printable characters):

// eax == 0
and eax,454e4f4a
and eax,3a313035

// make "room" for the real shellcode
push esp
pop eax
sub eax,39393333
sub eax,72727550
sub eax,54545645  // depends on the space needed
push eax
pop esp

// write last four byte block of our shellcode
and eax,454e4f4a
and eax,3a313035

sub eax,66666666
sub eax,66666666
sub eax,66666668
push eax

//write next four byte block of our shellcode 
etc.