Labels

SLAE Assignment Extra: Nano 1-byte Hyperion decoder


Engage the Hyperion engine 


Hint: Its easier to read code on github !

Before attending SLAE, I had used the Hyperion encoder for OSCP Lab. I always noticed that the binaries created with Hyperion.exe were slow as hell especially on weak CPU machines. But i never really figured out why. The SLAE course has provided the answer to me...

The Hyperion encoder generate weak AES keys for encoding the binary. Then it throws away the key or forget about them if you prefer, and create a decoder stub which then brute force this key. How genius is that ? I really liked this simple yet awesome idea for a crypter. So as an extra assignment I wanted to recreate something similar.

Plan:
- Picking up any XOR key, for exercise purposes only a one byte length
- Key is not hard-coded inside the binary
- The decoder stub brute force the key
- Upon finding the valid key, it decrypts and jump to the decoded shellcode

One magic byte 


I dont know about Hyperion internals in details but to make this work, I used a magic byte. We need to know when the XOR key is correct. I used byte 0x77 (because it does not seem to be a well used instruction). If the key is valid then the first decrypted byte should be 0x77.

Let's see the nano Hyperion code :] We will use the execve-stack shellcode encoded with XOR byte 0x5c from assignment 4.




Testing it.



Great !

Other interesting extra assignments 

I had a lot of ideas to code and test for the extra assignments. Unfortunately, I had no time to finish them or to go through issues I faced while creating them. However, I am still willing to finish them so feel free to jump onto the code and help or comment. Here is a quick list :

  1. - Shellcode which makes the stack executable with ASLR enabled (so much segfaults there ...)  ;
  2. - Shellcode which uses pseudo random byte (reads microtime with MOV AH, 00h and INT 1AH) for real polymorphic encoder (it would be easy to use these bytes as a XOR key) ;
  3. - Shellcode which use socket reuse for bindshell (my knowledge of sockets is maybe too limited there).

These extra assignments are available on the github. Feel free to contribute !


Thanks for reading through all these SLAE blog posts !


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

 SLAE - xxx
Labels:

Comments

Post a Comment

Popular Posts