febnug · May 15, 2020 08:17
diff --git a/x86_gen_str_in_stack.php b/x86_gen_str_in_stack.php
 <?php

 // Taken from : https://gist.github.com/ammarfaizi2/ac9639359a1f315f0aedc6a4bbbc60fb

 $strings = [
    "/bin/sh"
 //  "Enter Password: ",
 //  "Enter Password 2: ",
 //  "Enter Password 3: ",
 //  "Wrong Password!\n",
 //  "Congratulation, you have passed the first layer of memory map!\n",
 //  rvbn(36),
 //  rvbn(36),
 //  rvbn(36)
 ];

 $imploded = "";
 foreach (array_reverse($strings) as $str) {
  $imploded .= $str."\0";
 }
 $lcos = strlen($imploded);
 $ncos = $lcos % 4;
 if ($ncos > 0) {
  $ncos = 4 - $ncos;
 }

 $lenTotal = strlen($imploded) + $ncos;

 $head = "push ebp\n";
 $head.= "mov ebp, esp\n";
 $head.= "sub esp, ".$lenTotal."\n";
 $body = "";
 $i = 4;
 $split = array_reverse(str_split($imploded, 4));
 foreach ($split as $part) {

  $len = strlen($part);
  $pad = str_repeat("\0", 4 - $len);
  $ecp = "0x".bin2hex(strrev($part.$pad));
  // $ecp = "\"{$part}\"";
 //  $body .= "mov eax, {$ecp}\n";
 //  $body .= "mov [ebp - {$i}], eax\n";

 // aku ganti register eax ke register ebx, biar bisa manggil syscall

  $body .= "mov ebx, {$ecp}\n";
  $body .= "mov [ebp - {$i}], ebx\n";

  $i += 4;
 }

 echo $head.$body;
 echo "\n\n; Var info\n";
 echo "; ncos = {$ncos}\n";

 $i = $ncos;
 foreach ($strings as $k => $v) {
  $len = strlen($v);
  $i += $len + 1;
  echo "; [ebp - {$i}] ; // {$len} bytes \"".str_replace("\n", "\\n", $v)."\"\n";
 }

 /*

 function rvbn(int $n)
 {
  $a = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM";
  $r = "";
  for ($i = 0; $i < $n; $i++) {
    $r .= $a[$i];
  }
  return $r;
 }

 */
	<?php

	// Taken from : https://gist.github.com/ammarfaizi2/ac9639359a1f315f0aedc6a4bbbc60fb

	$strings = [
	"/bin/sh"
	// "Enter Password: ",
	// "Enter Password 2: ",
	// "Enter Password 3: ",
	// "Wrong Password!\n",
	// "Congratulation, you have passed the first layer of memory map!\n",
	// rvbn(36),
	// rvbn(36),
	// rvbn(36)
	];

	$imploded = "";
	foreach (array_reverse($strings) as $str) {
	$imploded .= $str."\0";
	}
	$lcos = strlen($imploded);
	$ncos = $lcos % 4;
	if ($ncos > 0) {
	$ncos = 4 - $ncos;
	}

	$lenTotal = strlen($imploded) + $ncos;

	$head = "push ebp\n";
	$head.= "mov ebp, esp\n";
	$head.= "sub esp, ".$lenTotal."\n";
	$body = "";
	$i = 4;
	$split = array_reverse(str_split($imploded, 4));
	foreach ($split as $part) {

	$len = strlen($part);
	$pad = str_repeat("\0", 4 - $len);
	$ecp = "0x".bin2hex(strrev($part.$pad));
	// $ecp = "\"{$part}\"";
	// $body .= "mov eax, {$ecp}\n";
	// $body .= "mov [ebp - {$i}], eax\n";

	// aku ganti register eax ke register ebx, biar bisa manggil syscall

	$body .= "mov ebx, {$ecp}\n";
	$body .= "mov [ebp - {$i}], ebx\n";

	$i += 4;
	}

	echo $head.$body;
	echo "\n\n; Var info\n";
	echo "; ncos = {$ncos}\n";

	$i = $ncos;
	foreach ($strings as $k => $v) {
	$len = strlen($v);
	$i += $len + 1;
	echo "; [ebp - {$i}] ; // {$len} bytes \"".str_replace("\n", "\\n", $v)."\"\n";
	}

	/*

	function rvbn(int $n)
	{
	$a = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM";
	$r = "";
	for ($i = 0; $i < $n; $i++) {
	$r .= $a[$i];
	}
	return $r;
	}

	*/