Jump to content

Talk:Alphanumeric shellcode

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 193.11.232.248 (talk) at 02:02, 16 April 2005. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Description of what the program does:

%## = and ax, ## (remember that x86 uses little endian order!)
-## = sub ax, ##
P = push ax (search for "computer stack" or something)
X = pop ax
\ = pop sp
T = push sp

1. The program calculates the value of "50 bytes after where the algorithm ends" (That is, at the 50th "X")
2. It sets the stack pointer to point to that location
3. It calculates a hexadecimal C3C3 and places it in the AX-cpu register. (Sort of like a very-very-fast variable)
4. It pushes (overwrites) "C3C3" to the stack (that is, at the 50th and 51st Xes. Remember push allways push 16 bits.)
5. It just runs into the Xes.

The reason why it has to calculate the values is that it is impossible to store this information in alphanumeric writeable ASCII. The values are simply way out of the reach for anything that you can write with an ordinary keyboard.

C3 means "RET" in x86 assembly language. It returns back to the previous routine/function by popping a new IP (Instruction Pointer) off the stack.

The reson why I choose to rewrite the code first after 50 bytes is because of the Prefetch Input Queue. Kind of complicated. The CPU reads its codes some cycles before it executes them, so, well, i had to be sure it wasnt allready loaded into the PIQ. 

0912:0100 252121        AND     AX,2121
0912:0103 254242        AND     AX,4242    ; ( *something* AND 0x2121 ) AND 0x4242 = Allways zero
0912:0106 2D7A74        SUB     AX,747A
0912:0109 2D2121        SUB     AX,2121
0912:010C 2D6325        SUB     AX,2563    ; 0 - large number = 168. Use wrapparound for CPU-registers. (really it's modulo 65335!)
0912:010F 50            PUSH    AX
0912:0110 5C            POP     SP         ; push-pop is sometimes used to swap values for registers quick and dirty.
0912:0111 252121        AND     AX,2121
0912:0114 254242        AND     AX,4242    ; again, zero register AX.
0912:0117 2D3D3C        SUB     AX,3C3D    ; 0 - 0x3C3D equals 0xC3C3 (remember little endian order and modulo 65335)
0912:011A 50            PUSH    AX         ; self-modifying code here :)
0912:011B 58            POP     AX
0912:011C 58            POP     AX
0912:011D 58            POP     AX         ; And lots of pop-ax to feed the processor. remember it eats codes miles before it
0912:011E 58            POP     AX         ; executes them, so we need to have a large buffer. Just to be sure, i used 50 bytes.
0912:011F 58            POP     AX         ; Most processors will have a smaller PIQ, but there might be superduperones with larger?
(...)
Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Alphanumeric_shellcode&oldid=12372508"