SLAE64: Assignment 4 – Custom Encoder

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification:

Student-ID: PA-15847

The Objectives for the Assignment:

– create a custom encoding scheme like the Insertion Encoder
– PoC with execve stack as the shellcode to encode with your scheme and execute

So we used the following python code by using a mixed usage of ROT 13, XOR and Right Shift 3 encoding scheme.

def ror(val, rot):
	return ((val & 0xff) >> rot % 8 ) | (val << ( 8 - (rot % 8)) & 0xff)

def main():
	shellcode = (".....shellcode-here.....")
	encoded = ""

	i = len(bytearray(shellcode))
	for x in bytearray(shellcode):
		y = ror(((x+13)^i),5) 

		encoded += "0x"
		encoded += "%02x," % y
		i -= 1
	print "\t",encoded[:-1]

if __name__ == "__main__":

It will give us the following results:


Now we will use the decoder just as described in the class using jmp-call-pop technique:

global _start 

section .text

	jmp real_start
	encoded_shellcode: db .....encoded-shellcode-here....
	lea rsi, [rel encoded_shellcode]

	xor rax, rax
	add al, 32
	rol byte [rsi], 0x5 
	xor byte [rsi], al  
	sub byte [rsi], 13  

	inc rsi
	loop decode

	jmp short encoded_shellcode

We’ll compile and run the code to get the original shellcode 🙂

For the full code, please check the Github repository:

Categorized as SLAE64