SLAE Assignment 7: Create a custom crypter

Encryption ... Encryption everywhere 

Hint: Its easier to read code on github !

It's time for the final exercise.

Quite similarly to Assignment 4, we now need to use a known encryption scheme to create an encrypted version of our shellcode. We can pick whatever language we want to do so.  Again, I picked Assembly language because I want to understand better Assembly and read memory issues in Assembly.

I did not want to recreate a full encryption scheme in Assembly from scratch so I decided to look around for implementation of an encryption scheme in Assembly and analyze and copy it. What pops out was that a lot of people were looking into RC4 performance by comparing C version and Assembly version. I have always been told than Assembly can be optimized to be better than C (this is the first chapter of the "Bible book of Assembly" from Dr Paul Carter). I used this code sample to create a RC4 shellcode encoder.

Ron's Code 4 


First of all we need to understand RC4 and the Wikipedia page is not really clear in my opinion. Here is the algorithm :

- First the encryption create an array and initialize it based on your key (KSA)

KSA:
for(i=0; i<256; i++) S[i] := i; // initialize the array
j := 0
for(i=0; i<256; i++){
   j := (j + S[i] + key[i mod keylength]) mod 256;
  swap(S[i], S[j]);
}






- Then this array is used to generate a pseudo random byte stream (PRGA) and encrypt the message (in our case the shellcode)

PRGA:
i := 0; j := 0;
do{
  i := (i + 1) mod 256;
  j := (j + S[i]) mod 256;
 swap(S[i], S[j]);
 K := S[(S[i] + S[j]) mod 256];
    output K;
}while(required);


OK, I made a lot of comments in the Assembly code so hopefully you can get what's going directly there. For testing purposes, let's simply put the shellcode inside .data section and decrypt it then jump to it. (Its a bit cumbersome for me that a simple "JMP shellcode" in Assembly corresponds to "int (*ret)() = (int(*)())code;" in C, lol ... so many parenthesis).



Of course, if you wont be able to inject this shellcode into a real process because of .data and .bss sections. But anyway i would not recommend the RC4 decoder as a stub. Indeed, this is quite a lengthy decryption process. For instance, if we compare to shikata_ga_nai the decoder stub is way shorter. You only XOR a word with a key. For RC4, you need to populate an array, prepare the array with your key then compute the decryption.

Since RC4 encoder and decoder are the same function, we will use the same assembly for encoding and decoding plus executing. Let's try it now.



Good :] We now have a RC4 shellcode encoder.


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - xxx

Comments