Alphanumeric shellcode example for peace and magic.
So a friend of mine was having trouble doing syscalls in his exploration of alphanumeric shellcode, and I thought i would lend him a hand :D enjoy. this all turns into: "h0ppoXH50p0o4nPYhAAAAX1A0jNX4rNDqq" you will need to replace the absolute address magic with your own to have this run :P
[bits 64] _start: ; printable: 0x20 - 0x7e ; alphanum: 0x30 - 0x39, 0x41 - 0x5A, 0x61 - 0x7A ; CODE | ASCII | HEX ;________________________|________|_________________________ ; and rax, 0x7a7a7a7a ; H%zzzz | 0x48,0x25,0x7a,0x7a,0x7a,0x7a ; and eax, 0x7a7a7a7a ; %zzzz | 0x25,0x7a,0x7a,0x7a,0x7a ; and ax, 0x7a7a ; f%zz | 0x66,0x25,0x7a,0x7a ; and al, 0x7a ; $z | 0x24,0x7a ; sub rax, 0x7a7a7a7a ; H-zzzz | 0x48,0x2d,0x7a,0x7a,0x7a,0x7a ; sub eax, 0x7a7a7a7a ; -zzzz | 0x2d,0x7a,0x7a,0x7a,0x7a ; sub ax, 0x7a7a ; f-zz | 0x66,0x2d,0x7a,0x7a ; sub al, 0x7a ; ,z | 0x2c,0x7a ; xor rax, 0x7a7a7a7a ; H5zzzz | 0x48,0x35,0x7a,0x7a,0x7a,0x7a ; xor eax, 0x7a7a7a7a ; 5zzzz | 0x35,0x7a,0x7a,0x7a,0x7a ; xor ax, 0x7a7a ; f5zz | 0x66,0x35,0x7a,0x7a ; xor al, 0x7a ; 4z | 0x34,0x7a ; cmp rax, 0x7a7a7a7a ; H=zzzz | 0x48,0x3d,0x7a,0x7a,0x7a,0x7a ; cmp eax, 0x7a7a7a7a ; =zzzz | 0x3d,0x7a,0x7a,0x7a,0x7a ; cmp ax, 0x7a7a ; f=zz | 0x66,0x3d,0x7a,0x7a ; cmp al, 0x7a ; <z | 0x3c,0x7a ; push rax ; P | 0x50 ; push rbx ; S | 0x53 ; push rcx ; Q | 0x51 ; push rdx ; R | 0x52 ; push rdi ; W | 0x57 ; push rsi ; V | 0x56 ; push rsp ; T | 0x54 ; push rbp ; U | 0x55 ; push r8 ; AP | 0x41,0x50 ; push r9 ; AQ | 0x41,0x51 ; push r10 ; AR | 0x41,0x52 ; push r11 ; AS | 0x41,0x53 ; push r12 ; AT | 0x41,0x54 ; push r13 ; AU | 0x41,0x55 ; push r14 ; AV | 0x41,0x56 ; push r15 ; AW | 0x41,0x57 ; push ax ; fP | 0x66,0x50 ; push bx ; fS | 0x66,0x53 ; push cx ; fQ | 0x66,0x51 ; push dx ; fR | 0x66,0x52 ; push di ; fW | 0x66,0x57 ; push si ; fV | 0x66,0x56 ; push sp ; fT | 0x66,0x54 ; push r8 ; fAP | 0x66,0x41,0x50 ; push r9w ; fAQ | 0x66,0x41,0x51 ; push r10w ; fAR | 0x66,0x41,0x52 ; push r11w ; fAS | 0x66,0x41,0x53 ; push r12w ; fAT | 0x66,0x41,0x54 ; push r13w ; fAU | 0x66,0x41,0x55 ; push r14w ; fAV | 0x66,0x41,0x56 ; push r15w ; fAW | 0x66,0x41,0x57 ; push 0x7a7a7a7a ; hzzzz | 0x68,0x7a,0x7a,0x7a,0x7a ; push word 0x7a7a ; fhzz | 0x66,0x68,0x7a,0x7a ; push 0x7a ; jz | 0x6a,7a ; pop rax ; X | 0x58 ; pop rbx ; [ | 0x5b ; pop rcx ; Y | 0x59 ; pop rdx ; Z | 0x5a ; pop rdi ; _ | 0x5f ; pop rsi ; ^ | 0x5e ; pop rsp ; \ | 0x5c ; pop rbp ; ] | 0x5c ; pop r8 ; AX | 0x41,0x58 ; pop r9 ; AY | 0x41,0x59 ; pop r10 ; AZ | 0x41,0x5a ; pop r11 ; A[ | 0x41,0x5b ; pop r12 ; A\ | 0x41,0x5c ; pop r13 ; A] | 0x41,0x5d ; pop r14 ; A^ | 0x41,0x5e ; pop r15 ; A_ | 0x41,0x5f ; pop ax ; fX | 0x66,0x58 ; pop bx ; f[ | 0x66,0x5b ; pop cx ; fY | 0x66,0x59 ; pop dx ; fZ | 0x66,0x5a ; pop r8w ; fAX | 0x66,0x41,0x58 ; pop r9w ; fAY | 0x66,0x41,0x59 ; pop r10w ; fAZ | 0x66,0x41,0x5a ; pop r11w ; fA[ | 0x66,0x41,0x5b ; pop r12w ; fA\ | 0x66,0x41,0x5c ; pop r13w ; fA] | 0x66,0x41,0x5d ; pop r14w ; fA^ | 0x66,0x41,0x5e ; pop r15w ; fA_ | 0x66,0x41,0x5f ; jo short 0x7b ; pz | 0x70,0x7a ; jno short 0x7b ; qz | 0x71,0x7a ; jb short 0x7b ; rz | 0x72,0x7a ; jnae short 0x7b ; rz | 0x72,0x7a ; jc short 0x7b ; rz | 0x72,0x7a ; jnb short 0x7b ; sz | 0x73,0x7a ; jae short 0x7b ; sz | 0x73,0x7a ; jnc short 0x7b ; sz | 0x73,0x7a ; jz short 0x7b ; tz | 0x74,0x7a ; je short 0x7b ; tz | 0x74,0x7a ; jnz short 0x7b ; uz | 0x75,0x7a ; jne short 0x7b ; uz | 0x75,0x7a ; jbe short 0x7b ; vz | 0x76,0x7a ; jna short 0x7b ; vz | 0x76,0x7a ; jnbe short 0x7b ; wz | 0x77,0x7a ; ja short 0x7b ; wz | 0x77,0x7a ; js short 0x7b ; xz | 0x78,0x7a ; jns short 0x7b ; yz | 0x79,0x7a ; jp short 0x7b ; zz | 0x7a,0x7a ; jpe short 0x7b ; zz | 0x7a,0x7a ; jnp short 0x7b ; {z | 0x7b,0x7a ; jpo short 0x7b ; {z | 0x7b,0x7a ; jl short 0x7b ; |z | 0x7c,0x7a ; jnge short 0x7b ; |z | 0x7c,0x7a ; jnl short 0x7b ; }z | 0x7d,0x7a ; jge short 0x7b ; }z | 0x7d,0x7a ; jle short 0x7b ; ~z | 0x7e,0x7a ; jng short 0x7b ; ~z | 0x7e,0x7a push 0x6f707030 ; encoded absolute address preamble pop rax xor rax, 0x6f307030 ; xor the preamble with the fancy key xor al, 0x6e ; special stuff to pull the value 9f out of our ass push rax ; put the resulting absolute address into rcx pop rcx push 0x41414141 ; syscall code block key pop rax xor [rcx+48], eax ; decode the sycall code block using an offset for more ass pulling push 0x4e ; encoded syscall number for exit pop rax xor al, 0x72 ; xor it with the key syscall: db 0x4e,0x44,0x71,0x71
Comments
Post a Comment