SLAE: Assignment 4 of 7

Assignment #4:
- Create a custom encoding scheme like the "Insertion Encoder" demonstrated in the course
- Proof of concept using execve-stack as the shellcode to encode with your scheme and execute

First we get the shellcode of the execve-stack:



Note: Our encoder works and we now have our encoded shell. Now on to the assembly!

Note: We compile our decoder1.nasm code:

Note: our original shellcode was:

Note: We run our decoder1 program in gdb, and check the decoded value on the stack:

Breakpoint 1, 0x08048072 in DECODESHELL ()
0xbffff3f4:    0x31    0xc0    0x50    0x68    0x2f    0x2f    0x6c    0x73
0xbffff3fc:    0x68    0x2f    0x62    0x69    0x6e    0x89    0xe3    0x50
0xbffff404:    0x89    0xe2    0x53    0x89    0xe1    0xb0    0x0b    0xcd
0xbffff40c:    0x80    0x90    0x90    0x90    0x01    0x00    0x00    0x00

Note: Upon executing the decoder, we see the execve('/bin/ls') execute from the stack as expected - Nice!

Now we can improve our encoder and decoder by encoding in a stack-friendly manner.
The idea is that we'll PUSH the DWORDS on the stack in reverse order (since stack is reverse)
This way, we can use the stack functionality to save a few decoder bytes.

Doing this is easy in Python. First we take our shellcode and split it in chunks of 4 bytes:
splittedshellcode = [shellcode[i:i+4] for i in range(0, len(shellcode), 4)]

Then we reverse the array obtained:
reversedshellcode = splittedshellcode[::-1]

Then we concatenate (join) the words without additional characters in between to form a new string.
joinedshellcode = "".join(reversedshellcode)

The above commands can be performed in a single command as follows:
shellcode_reversed = "".join([shellcode[i:i+4] for i in range(0, len(shellcode), 4)][::-1])

Our new encoder (


Note: Our encoder2 script works and we now have our encoded shell. Effectively we've reversed our whole shellcode
Our encoder can be simplified even more:
Our new encoder (

We can now simplify the assembly decoder:

Note: The size of our finished assembly decoder is 10 bytes.

Note: We see the directory listing of our directory, which means our shellcode execve(/bin/ls) ran successfully

Filed under: Exclude from front page SLAE