Jump to content

Talk:Alphanumeric shellcode

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 193.11.232.248 (talk) at 03:37, 16 April 2005. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Description of what the program does:

%## = and ax, ## (remember that x86 uses little endian order!)
-## = sub ax, ##
P = push ax (search for "computer stack" or something)
X = pop ax
\ = pop sp
T = push sp
A = inc cx

1. The program calculates the value of "50 bytes after where the algorithm ends"
2. It sets the stack pointer to point to that location
3. It calculates a hexadecimal C3C3 and places it in the AX-cpu register. (Sort of like a very-very-fast variable)
4. It pushes (overwrites) "C3C3" to the stack
5. It jumps to the the written code.

The reason why it has to calculate the values is that it is impossible to store this information in alphanumeric writeable ASCII. The values are simply way out of the reach for anything that you can write with an ordinary keyboard.

C3 means "RET" in x86 assembly language. It returns back to the previous routine/function by popping a new IP (Instruction Pointer) off the stack.

The reson why I choose to rewrite the code first after 50 bytes is because of the Prefetch Input Queue. Kind of complicated. The CPU reads its codes some cycles before it executes them, so, well, i had to be sure it wasnt allready loaded into the PIQ. 

0912:0100 252121        AND     AX,2121      ; %!!
0912:0103 254242        AND     AX,4242      ; %BB   .. null ax-register (register = very very fast variable hardcoded in the cpu)
0912:0106 2D747A        SUB     AX,7A74
0912:0109 2D2121        SUB     AX,2121
0912:010C 2D2563        SUB     AX,6325      ; zero minus large numbers equals 0x146 (the program starts at 0x100 + code + 50 bytes)
0912:010F 50            PUSH    AX
0912:0110 5C            POP     SP           ; ser the stack pointer to this location (*sp = 0x146 in C'ish)
0912:0111 252121        AND     AX,2121
0912:0114 254242        AND     AX,4242      ; null ax-register again
0912:0117 2D3D3C        SUB     AX,3C3D      : 0 - 0x3D3C = 0xC3C3 (remember little endian byte order)
0912:011A 50            PUSH    AX           ; *sp = 0xC3C3 ... C3 = "RET" in x86 assembly, meaning "return from function" or "}" in Cish.
0912:011B 7528          JNZ     0145         ; "goto *sp", think of it as the last "}" in the main-function
(...)

%!!%BB-tz-!!-%cP\%!!%BB-=<Pu(

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Alphanumeric_shellcode&oldid=17203371"