the script is out of date not useful anymore by default.
there the result: https://www.virustotal.com/file/f088...is/1350717852/
thanks for the script.
Printable View
the script is out of date not useful anymore by default.
there the result: https://www.virustotal.com/file/f088...is/1350717852/
thanks for the script.
Can anyone explain to me how to xor obfuscates the shellcode which I can then put in the temp.c that is created in this script. I'm tying to understand how this works so I'm going to try and do it manually, without the script. I know it's outdated but can anyone explain it to me??
I haven't really looked at the script in-depth for what it does, but I can tell you basically what's going on from my CTP experience with code-caving. Using this to generate exe's, as pointed out above, is not advisable, it's much better to code-cave something yourself. Look online for in-depth tutorials, but here's the gist. Take a program and open it in a debugger. Find an empty section or create your own, and replace the first few instructions with a jump to the empty section, saving the first few instructions, the value in ESP, and the start address in notepad or whatever. MAKE SURE TO SAVE ALL ADDRESSES! Then, generate your shellcode using MSF and paste it in the exe at around 100 bytes past your jump point for ample space to play around. Here's where XOR encoding comes in. Since the shellcode is analyzed by every AV, you must turn it into something that the AV can't recognize. By far the easiest way is XOR encoding, since double XOR Encoding returns the original shellcode. The way to do that is to write an XOR loop. The easiest XOR loop is a one byte jmp, but I prefer a 4-byte jump with a variable key if it's slightly harder to configure.
So now your program looks like this:
JMP TO CAVE
ORIGINAL CODE
.
.
.
.
.
JMP POINT (CAVE)
nop's
XOR ENCODER
nop's
SHELLCODE
.
THE INSTRUCTIONS YOU OVERWROTE!!!!!
MOV ESP, ORIGINAL VALUE!!!!
JMP BACK TO ORIGINAL PROGRAM!
...
Now here's how to program an XOR loop. Basically, from the start of the shellcode until the end: XOR the shellcode with the key, then INCREMENT or ADD 4 to EAX then JMP to XOR LOOP START until EAX > SHELLCODE LAST MEM ADDRESS
Assume 0001 is the start address of the shellcode for simplicity, and 00ff is the end of the shellcode
Also assume that 1000 is the start address of the encoder. Our loop now looks like this:
1000 MOV EAX, 0001
1004 XOR DWORD PTR EAX , {YOUR KEY IN HEX!!! I usually use something like 0x66656172 which is fear in ascii} [the other option is XOR BYTE PTR EAX, 0x{onebyte key}]
1008 ADD EAX, 4 [With the other option this would be INC EAX]
100B CMP EAX, 00ff
1010 JLE 1004
That basically does all I described. At this point, place a breakpoint at the end of the encoding loop then let it run, and save all the changed shellcode in the file. Tehn, when you rerun the program, the encoding loop decodes it, and runs the shellcode normally. This will hopefully change the shellcode enough for it to be unrecognizable to any AV's. I hope this helps.
Hi All ,
Can anybody please explain the X-OR section for this script .
Thnx