Graphics Programs Reference
In-Depth Information
0x691
Polymorphic Printable ASCII Shellcode
Polymorphic shellcode refers to any shellcode that changes itself. The encod-
ing shellcode from the previous section is technically polymorphic, since it
modifies the string it uses while it's running. The new NOP sled uses instruc-
tions that assemble into printable ASCII bytes. There are other instructions
that fall into this printable range (from
0x33
to
0x7e
); however, the total set
is actually rather small.
The goal is to write shellcode that will get past the printable character
check. Trying to write complex shellcode with such a limited instruction set
would simply be masochistic, so instead, the printable shellcode will use simple
methods to build more complex shellcode on the stack. In this way, the print-
able shellcode will actually be instructions to make the real shellcode.
The first step is figuring out a way to zero out registers. Unfortunately, the
XOR instruction on the various registers doesn't assemble into the printable
ASCII character range. One option is to use the AND bitwise operation, which
assembles into the percent character (
%
) when using the EAX register. The
assembly instruction of
and eax, 0x41414141
will assemble to the printable
machine code of
%AAAA
, since
0x41
in hexadecimal is the printable character
A
.
An AND operation transforms bits as follows:
1 and 1 = 1
0 and 0 = 0
1 and 0 = 0
0
and 1 = 0
Since the only case where the result is 1 is when both bits are 1, if two
inverse values are ANDed onto EAX, EAX will become zero.
Binary Hexadecimal
1000101010011100100111101001010 0x454e4f4a
AND 0111010001100010011000000110101 AND 0x3a313035
------------------------------------ ---------------
0000000000000000000000000000000 0x00000000
Thus, by using two printable 32-bit values that are bitwise inverses of each
other, the EAX register can be zeroed without using any null bytes, and the
resulting assembled machine code will be printable text.
and eax, 0x454e4f4a ; Assembles into %JONE
and eax, 0x3a313035 ; Assembles into %501:
So
%JONE%501:
in machine code will zero out the EAX register. Interesting.
Some other instructions that assemble into printable ASCII characters are
shown in the box below.
sub eax, 0x41414141 -AAAA
push eax P
pop eax X
push esp T
p
op esp \
