This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification:<\/p>\n\n\n\n
https:\/\/www.pentesteracademy.com\/course?id=7<\/a><\/p>\n\n\n\n Student-ID: PA-15847<\/strong><\/p>\n\n\n\n The Objectives for the Assignment:<\/p>\n\n\n\n – create a custom encoding scheme like the Insertion Encoder So we used the following python code by using a mixed usage of ROT 13, XOR and Right Shift 3 encoding scheme. <\/p>\n\n\n\n It will give us the following results:<\/p>\n\n\n\n Now we will use the decoder just as described in the class using jmp-call-pop technique:<\/p>\n\n\n\n We’ll compile and run the code to get the original shellcode \ud83d\ude42 <\/p>\n\n\n\n For the full code, please check the Github repository:<\/p>\n\n\n\n https:\/\/github.com\/areyou1or0\/SLAE64<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https:\/\/www.pentesteracademy.com\/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – create a custom encoding scheme like the Insertion Encoder– PoC with execve stack as the shellcode to encode with your scheme and execute So we used the following python… Continue reading SLAE64: Assignment 4 – Custom Encoder<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/157"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":165,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions\/165"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
– PoC with execve stack as the shellcode to encode with your scheme and execute<\/p>\n\n\n\ndef ror(val, rot):\n\treturn ((val & 0xff) >> rot % 8 ) | (val << ( 8 - (rot % 8)) & 0xff)\n\ndef main():\n\tshellcode = (\".....shellcode-here.....\")\n\tencoded = \"\"\n\n\ti = len(bytearray(shellcode))\n\tfor x in bytearray(shellcode):\n\t\ty = ror(((x+13)^i),5) \n\n\t\tencoded += \"0x\"\n\t\tencoded += \"%02x,\" % y\n\t\ti -= 1\n\tprint \"\\t\",encoded[:-1]\n\nif __name__ == \"__main__\":\n main()<\/code><\/pre>\n\n\n\n0x5d,0x48,0xf4,0x10,0x52,0xf4,0x89,0x9d,0x9b,0x1b,0x8a,0x4a,0x25,0x99,0x9c,0x11,0xa1,0xfe,0xd4,0x16,0xa6,0x39,0x9b,0x17,0xa7,0x3d,0xd4,0x65,0x72,0xd2,0x87,0xc4<\/strong><\/code><\/p>\n\n\n\nglobal _start \n\nsection .text\n\n_start:\n\tjmp real_start\n\tencoded_shellcode: db .....encoded-shellcode-here....\n \nreal_start:\n\tlea rsi, [rel encoded_shellcode]\n\ndecoder:\n\txor rax, rax\n\tadd al, 32\ndecode:\n\trol byte [rsi], 0x5 \n\txor byte [rsi], al \n\tsub byte [rsi], 13 \n\n\tinc rsi\n\tloop decode\n\n\tjmp short encoded_shellcode<\/code><\/pre>\n\n\n\n